Risk Assessment

Risk Analysis A valuable tool for
organizations / comparative analysis
By Manolis Fragkos, BSc Finance, MSc Infosec

Senior Security Engineer
Obrela Security Industries
Monday, 13 February 2006

Obrela Security Industries Risk Analysis A valuable tool for organizations / comparative
analysis
Commercial In Confidence Page 2 of 21
1 Introduction
We are living in an Information Society. Over the past few years there has been a rapid
development of Global IT infrastructures, which has allowed the movement of information
within and between organizations and cross national borders. This growth of IT infrastructures
and computer networks is fundamentally shifting the way information is managed today. In this
environment, where almost every organization is increasing its reliance on information and
computer processing facilities, new dependencies and new risks are born.
As more and more organizations open their internal networks to customers, business partners
and suppliers, they must make sure that information remains available and trustworthy yet
protected from intrusion. Information is a valuable business asset and it needs to be protected
to ensure business continuity, minimize business damage and maximize return on investment
and business opportunities.
Today, organizations need to realize that in order to protect their information assets in an
effective and efficient way they must understand what are the risks associated with the use of
their information systems. In this context, a risk assessment methodology represents a
valuable tool which can be used by modern organizations to assist them firstly to identify and
rate the risks associated with the use of their information systems and secondly to take the
appropriate measures to protect their information systems. The purpose of this paper is to
address the issue of risk with respect to information security and to answer the following
questions:
> What is risk with respect to information security?

> What are the key elements of information security risk?
> Why it is important for organizations to gain a clear understanding of the
risks associated with the use of their information systems?
> What are the key elements of risk assessment?

> Which are the two most widely used risk assessment methodologies?
Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

analysis
2 Defining and Calculating Risk

In literature someone can find many definitions of risk. With respect to information security we
can say that risk is a measure of the impact of something undesirable happening and its
likelihood of occurring can be expressed in money and frequency. Risks can be measured in
two primary ways: quantitatively and qualitatively.
2.1 Quantitative Approach

A quantitative approach estimates the monetary costs of risk and risk reduction techniques,
based on the likelihood that a damaging event will occur, the costs of potential losses, and the
costs of mitigating actions that could be taken. When risks are measured in this way someone
can compare the costs of risks against the costs of implementing security controls to reduce
or eliminate those risks. In business terms this is referred to as return on investment analysis
(ROI) which is a way of justifying why to take a certain action or justifying why not take it. In
mathematical terms quantitative risk can be expressed as Annualized Loss Expectancy (ALE)
which can be determined according the following formula:
ALE = SLE x APO
The SLE is the total amount of revenue that is lost from a single occurrence of the risk. It is a
monetary amount that is assigned to a single event that represents the organizations potential
loss amount if a specific threat exploits a vulnerability. The SLE is calculated by multiplying
the Asset Value by the Exposure Factor. The Asset Value is, as the name suggests, the total
value of an asset. The Exposure Factor represents the percentage of loss that a realized
threat could have on a certain asset. The APO is the number of times (frequency) that an
organization expects the risk to occur during one year. These two factors are combined to
produce the ALE which is essentially the monetary risk for a given asset with respect to
certain exposures or threats. When all assets and exposures have been identified and
factored together, an overall assessment of the monetary risk can be obtained.
The quantitative approach is the standard way of measuring risk in finance, insurance etc.
However this approach is not the most appropriate to use when it comes to risk measuring in
information security. There are many reasons to support this view and some of them are
shown below:
There is limited data on risk factors, such as the likelihood of a sophisticated hacker attack
and the costs of damages, loss, or disruption caused by events that exploit security
weaknesses (i.e. the lack of statistical information that would make it possible to determine
frequency). Some costs such as loss of consumer confidence are difficult to measure.

analysis
Although the costs of the hardware and software needed to strengthen controls may be
known, it is often not possible to precisely estimate the related indirect costs, such as the
possible loss of productivity that may result when new controls are implemented.
Even if precise information is available, it will soon be out of date due to fast paced changes in
technology and factors such as improvements in tools available to intruders.
Organizations that have tried to meticulously apply all aspects of quantitative approach have
found the process to be extremely costly. Such attempts usually take a very long time to
complete their first full cycle, and they usually involve a lot of staff members arguing over the
details of how specific monetary values were calculated.
This lack of reliable and current data often prohibits accurate determinations. Because of this
limitation, it is important that organizations identify and employ methods that efficiently
achieve the benefits of risk assessment while avoiding costly attempts to develop seemingly
precise results that are of questionable reliability.
2.2 Qualitative Approach

In the qualitative approach, a comparative method is used to determine which risks are most
serious and need to be mitigated. In other words the qualitative approach seeks to identify and
rate risks relative to each other. In contrast to quantitative approach, the perceived impact of
the loss, corruption, or unavailability of an asset is determined. The key elements of this
approach are: Asset Value, Vulnerability, Threats and Controls. An important characteristic of
the qualitative approach worth mentioning is that the exposure factor and the frequency of
occurrence element are not present. Instead the qualitative approach uses vulnerabilities and
threats to establish which risks are greater than others.
As we have already mentioned the key elements of the qualitative approach are: Asset Value,
Vulnerability, Threats and Controls. As with the quantitative approach an asset is anything of
value. For example this could be a server, it could be data, or could be an organizations
reputation. In terms of risk assets is what we want to protect. A vulnerability is anything that it
could be exploited to gain access or deny access to an asset. Vulnerabilities exist because
most of the time assets lack of protection. If controls (means of protection) were put into place
the vulnerabilities would be reduced. A threat is anything or anyone that can exploit a
vulnerability to obtain, alter or deny access to an asset.
A risk is created when an undertaking activity makes an asset vulnerable and there are
threats that can exploit the vulnerability. So the risk can be represented mathematically
according to the following formula:
Relative Risk = Asset Value x Vulnerability x Threat
If the asset value is high, the vulnerability is high and the threat is high then the risk is high. If
all are low then the risk is low. Conversely the asset may be very valuable but the vulnerability
and threat may be extremely low. In this case risk is low. Thus all elements of risk Asset

analysis
Value, Vulnerability, Threat contribute to the level of risk associated with a given activity or
situation.
The main difference between the quantitative approach and the qualitative approach is in the
details used to determine risks. In the qualitative approach comparisons between the value of
one asset and another are relative, and participants do not invest a lot of time trying to
calculate precise financial numbers for asset valuation. The same is true for calculating the
possible impact from a risk being realized and the cost of implementing controls. The benefits
of a qualitative approach are that it overcomes the challenge of calculating accurate figures for
asset value, cost of control, and so on, and the process is much less demanding on staff.
Using a qualitative approach to determine risks can typically start to show significant results
within a few weeks, whereas most organizations that choose a quantitative approach see little
benefit for months, and sometimes even years, of effort.
3 The Value of Assessing Risk

As it was earlier mentioned, nowadays organizations need to realize that in order to protect
their information assets in an effective and efficient way they must understand what are the
risks associated with the use of their information systems. This can be achieved through the
assessment of risks which in turn can help an organization to:
> Identify gaps to its security posture.

> Revise security policies and procedures and establish cost effective
techniques for implementing these policies and procedures.
> Make non-technical decision makers to understand the costs and
benefits of implementing security and see for themselves what the
impacts of their various decisions will be.
> Make decision makers feel that security is actually a business issue and
not just a technical one.
> Identify, rate and compare risks.
> Take advantage of expert knowledge and put in place controls in order to
mitigate the most important risks faced by its information assets.

analysis
3.1 Key Elements Risk Assessment Methodologies

Most of the risk assessment methodologies contain all or most of the elements below even
though some are quite different from the others:
> Identify and Assign Values to Assets

> Identify Exposure / Vulnerabilities, Threats and Controls
> Assess Risks for each Asset
> Control recommendations and security strategy and plans development
Having identified the key elements of a risk assessment methodology, in the next three
sections of this paper we continue our discussion by presenting and comparing two of the
most widely used risk assessment methodologies - these are OCTAVE and CRAMM risk
assessment methodologies.

analysis
4 The OCTAVE Risk Assessment Methodology

OCTAVE was developed by the Carnegie Mellon Software Engineering Institute. The
OCTAVE (Operational Critical Threat, Asset and Vulnerability Evaluation) method is usually
led by a small, interdisciplinary team (Analysis Team) of an organizations personnel and
focuses on an organizations assets and the risks to those assets. These assets are identified
through interviews conducted within the organization at strategic, tactical and operational
level. The essential elements of the OCTAVE approach are embodied in a set of criteria that
define the requirements for OCTAVE.
4.1 OCTAVE Approach

OCTAVE has a three-phased approach to the identification of the organizational information
security needs. The three phases examine organizational and technological issues within the
organization, and through a series of workshops, they provide a comprehensive picture of the
organizations information security needs. The three phases are:
> Build asset-based threat profile,

> Identify infrastructure vulnerabilities, and,
> Develop security strategy and plans.
OCTAVE does not take the probability component of threat into consideration when
determining risk, and uses a qualitative approach to valuation.
Through the process the analysis team identifies critical assets and focuses the risk analysis
activities on those assets. This is referred to as an asset-driven evaluation approach. The
participants of the workshops are employees from tactical, strategic and operational levels.
Workshops can either be facilitated discussions where employees participate, or workshops
where the risk analysis team conducts activities on their own.
4.2 OCTAVE Processes

The OCTAVE methodology consists of three phases with eight processes and eleven
activities. The processes and activities are discussed within each phase.
Phase 1: Build Asset-based Threat Profile

The goal of the first phase is to construct an organizational view of OCTAVE. This phase
consists of four processes that are focused on gathering multiple perspectives about the
information security. These perspectives are based on the knowledge of the employees.
Different employee levels of the organization are utilized in this phase.

analysis
a) Processes 1 to 3: Identify Employee Knowledge
During the identification of employee knowledge processes the three key areas that have
been identified by OCTAVE are senior management, operational area management and staff
knowledge. Each of the above three employee levels correspond to a process.
There are four activities that have to be performed within each of these three processes. They
are:
> Identify assets and relative priorities Information related assets that
enable employees to perform their job are identified. From this activity a
small number of assets are isolated and will form the focus for the
remaining assessment processes.
> Identify areas of concern Analysis participants identify areas that
concern them on how the most important assets can be threatened.
Known threat sources and outcomes of threat prompts assist in
developing scenarios.
> Identify security requirements for most important assets Certain
qualities of an asset are important to the organization. This activity is
geared towards identifying those qualities and translating them into
security requirements on which to focus.
> Capture knowledge of current security practices and organizational
vulnerabilities Organizations have to establish their current position of
information security before continuing to protect the assets. Best practice
codes and security standards provide guidance and benchmarking
information.
b) Process 4: Create Threat Profile
Process 4 serves two functions. The functions are consolidating the information that was
gathered during the preceding processes, and setting the scope for the rest of the processes.
Creating threat profiles consists of three primary activities. They are:
> Select critical assets The team determines which assets will have a
large adverse impact on the organizations if the identified security
requirements of the assets are violated.
> Refine security requirements for critical assets Security requirements
were identified in a preceding activity. This activity refines those security

analysis
requirements for the critical assets as well as prioritizes the security

requirements.
> Identify threats to critical assets Concerns that were noted are used to
develop a generic threat profile for the critical assets. The generic threat
profile is then scrutinized to identify and correct any threats that have not
been taken into account.
Phase 2: Identify Infrastructure Vulnerabilities
Phase 2 is also known as the technology view. Whereas the first phase focused on the
organizational view and constructed an employee or human view of the organizational assets
and threats, this view focuses on the organizational computing infrastructure. The goal of this
phase is to identify any technological vulnerabilities in the system. This phase focuses on the
parts that were identified in the previous phase as critical assets.
a) Process 5: Identify Key Components
Information from the preceding processes is used to determine how to evaluate the
organizations computing infrastructure for technological vulnerabilities. During this process
key classes of components are identified, for instance servers, laptops and wireless
components. These classes assist in selecting specific components, evaluation processes
and the extent to which the vulnerabilities will be evaluated.
b) Process 6: Evaluate Selected Components
This processs primary goal is data collection and analysis. This goal is achieved by a single
activity which is reviewing technology vulnerabilities and summarizing the results. Prior to this
processs workshop, tools should be used to determine the technological vulnerabilities of the
selected components of the critical assets. At the end of the preliminary technology
vulnerability assessment and workshop, a summarized vulnerability report with interpretation
is produced by the risk analysis team.

analysis
Phase 3: Develop Security Strategy and Plans
Phase 3s goal is to make sense of the information gathered during the two preceding phases.
The human and technological views are consolidated to provide a picture of the
organizational risk view. During this phase the risk analysis team develops security strategies.
In order to develop security strategies the identified risks have to be analyzed first.
a) Process 7: Conduct Risk Analysis
This process is the starting point of linking the identified critical assets to what is important for
the organization. The activities of process 7 are:
> Identify the impact of threats to the critical assets This activity links the
impact a threat has on an asset with that asset, which is important for an
organization as it brings the components in context with the objectives of
the organization.
> Create risk evaluation criteria This activity defines the risk tolerance of
the organization. A single set of criteria is created; there is no evaluation
criteria set per asset.
> Evaluate the impact of threats on the critical assets The previous two
activities lead to the evaluation of impacts of threats on the critical assets
that will assist in guiding the risk mitigation strategy.
b) Process 8: Develop Protection Strategy
The previous process provides enough information for the team to develop tactical and
strategic solutions to manage information security risk within the organization. This process
consists of four activities.
> Review risk information During this activity the information that was
gathered during the preceding process is gathered and reviewed.
> Create protection strategy A protection strategy defines the strategy
that an organization is undertaking to manage its internal security. The
protection strategy incorporates short- to long-term activities. A Catalog
of Practices provided by the methodology can be used during this
activity.
> Create mitigation plans The mitigation plans identify how organizations
are going to address risks specific to the critical assets. Mitigation plans
include actions and countermeasures.

analysis
> Create action list An action list is the actions that the organization is
going to take in the near future without specific unspecialized activities,
for instance policy changes or formal employee training.

analysis
5 The CRAMM Risk Assessment Methodology

In 1985 the UK governments Cabinet Office tasked the Central Computer and
Telecommunications Agency (CCTA) with investigating the risk analysis and management
methods in existence within Central Government for Information Technology. Following their
investigation a new method was developed by the CCTA which drew upon all of the existing
best practices under the title of the CCTA Risk Analysis and Management Method, or
CRAMM. Various software packages based on the CRAMM method were released during the
1990s and were eventually wholly funded by Insight Consulting in 2001, which released
CRAMM version 5 in 2003.
5.1 CRAMM Approach

A CRAMM review is conducted in three stages. During the first stage the organizational
business, assets and inventory are determined along with building a model of the
organization. Threats, vulnerabilities and risk measures are determined in the second stage.
In the final stage the CRAMM software proposes countermeasures based on the preceding
stages results.
CRAMM defines risk as a function of two separate components: the likelihood that an
unwanted incident will occur and the impact that will result from the incident. CRAMM consists
of two distinct processes: analysis and management.
CRAMM has an extensive control database. This control database consists of over 3 000
security controls, which are constantly updated. Whenever a control is proposed by the
software supporting information such as control motivation, cost, benefits, expected
advantage and control type are provided.
CRAMMs methodology focuses on identifying risks to important assets and implementing

countermeasures with the replacement value of the physical asset in mind. Although the data
is valued according to the business impact, it still employs probability as part of the
assessment.

analysis
5.2 CRAMM Processes

CRAMM consists of six steps grouped into two processes. The two processes are analysis
and management. Each step in the processes is discussed in more detail below.
a) Assets - Analysis
Critical assets are determined through interviews. The interviewer creates asset groups on the
basis of how physical assets, software and hardware interrelate. The physical assets are
valued on the replacement value and data assets on the business impact if the data is
compromised. Data assets and their values are determined by data owners. The valuation
step provides the impact component of risk. The data values are determined by discussing the
worst-case scenarios for each of the security requirements.
Although CRAMM assigns a replacement value to the physical asset and an estimated
business value to the data asset, they are grouped together into asset groups. The asset
groups are utilized in order to speed up the risk analysis process.
b) Threats - Analysis
A threat assessment involves identifying and assessing the level of threat to the assets of a
system. The level of threat is measured as a likelihood of occurrences. Threats are identified
for asset groupings and not individual assets. CRAMM provides lists of types of threats that
can be linked to asset groups. Threats are identified through structured questionnaires that
are produced by CRAMM. Threats can be assigned a qualitative value on a five-point scale
ranging from very low, low, medium, high to very high.
c) Vulnerability - Analysis
Vulnerability is a measure of inherent weakness within the system or network. Threat and
vulnerability assessment deliver the likelihood component of risk assessment. Qualitative
values are assigned for vulnerability rating. These ratings are low, medium or high.
d) Risk Assessment - Analysis

A risk assessment involves measuring the level of risk to the system or network. The level of
risk is identified from the value of the assets, the level of threat and the extent of the
vulnerability. Measures of risk translate directly into measures of security requirements, so
that if there is a high risk there is a high requirement for security.
The risk value is calculated within the CRAMM software product. During the automated risk
estimation, referred to as MOR (Measure of Risk), a value is calculated for each threat to all
assets in an asset group, assets that depend on or are depended on and all types of impact
that could result from the threat.

analysis
e) Countermeasure - Management
Countermeasures are recommended by the CRAMM tool according to the calculated measure
of risk. The controls are drawn from a variety of authoritative sources which include the UKs
Security Authorities, BS 7799, and the Information Technology Security Evaluation Criteria
and Insight Consultants. The proposed controls have to be evaluated against the budget,
practical implementation issues and the existing countermeasures.
f) Implementation - Management
The countermeasures that are recommended in the previous step have to be implemented.
These countermeasures are recommended from a database within CRAMM but the software
package does not take into consideration the environment in which the organization finds
itself. CRAMM proposes the most effective controls. However, certain controls can mitigate
more than one risk and this decision or correlation will have to occur during the
implementation process.
g) Audit - Management
A benefit outlined by CRAMM is audit ability of the CRAMM review. At each step of the
CRAMM processes review can be conducted on the past processes. CRAMM further allows
for the audit on the suitability and status of security controls on an existing system. CRAMM is
an information security risk assessment methodology that focuses more on the technical
nature, whereas some other methodologies focus on the business view of risk assessment.

analysis
6 Comparing the Two Risk Assessment Methodologies

6.1 Assets Identification and Evaluation
OCTAVE evaluates information assets based on identifying those information assets that are
most critical to the continuation of the organizations core missions. The main advantage of
this approach is that OCTAVE methodology focuses on operational systems that have an
immediate effect on the organization. Information assets to be evaluated are identified and
prioritized through a process consisting of interviews with staff members of the organization
working in different levels (Senior Managers, Operational Area Managers, and Staff). It is
worth mentioning here that the OCTAVE methodology overcomes the challenge of calculating
specific monetary values for information assets by identifying and rating the significance of
information assets according to their relative importance to the organization.
On the other hand, in CRAMM risk assessment methodology assets are assigned with
specific monetary values. In CRAMM methodology the evaluation of critical information assets
is regarded sometimes as a speculative activity, since it depends on who and when processes
them. In CRAMM, critical information assets are determined through interviews with data
owners. Sometimes this part of CRAMM risk assessment could be very difficult, since it may
be hard to identify data (or business processes) owners. In addition the interviewer creates
asset groups on the basis of how physical assets, software and hardware are interrelate. This
is a dangerous operation as each asset has unique attributes and it only takes an exploitation
of one to create a security breach. The values of physical assets are determined in terms of
their replacement or reconstruction value, while the value of data assets is determined by
data owners by discussing worst case scenarios and outlining the possible consequences of
the data being unavailable, modified and disclosed. This approach however can be regarded
as a shortcoming since worst-case scenarios can be extremely unlikely in the real world and
can easily be used to distort a situation.

analysis
6.2 Threat Identification

In the OCTAVE methodology for each critical asset threat sources, motivators and possible
outcomes are identified. General threats are grouped into categories based on their sources.
Threat source categories include:
> Human actors using network access

> Human actors using physical access
> System problems
> Other problems
In OCTAVE, the use of threat trees for each threat category allows the analysis team to trace
each threat sources access point, motivation, and the potential outcome of the threat in
general terms such as disclosure, modification, loss, destruction, and interruption. This
approach increases the ability of the risk analysis team to better understand and evaluate
threats to critical assets.
In CRAMM methodology threats are investigated against selected asset groups. CRAMM has
predefined tables for threat/asset group and threat/impact combinations. Threats are identified
by asking questions to support personnel from structured questionnaires, and entering the
answers in the CRAMM tool. In this way CRAMM calculates an indicator of the likelihood of an
accidental or deliberate threat actually manifesting. This indicator expresses the level
(likelihood of occurrence) of each threat to each asset group as very high, high, medium, low,
very low.
6.3 Vulnerability Identification

OCTAVE provides to an organization the ability to identify both organizational and
technological vulnerabilities. Organizational vulnerabilities are identified in Phase 1 of the risk
assessment through the use of organizational surveys based on the OCTAVE Catalog of
Practices. The Catalog of Practices is based on a collection of tested and proven strategic
and operational security practices. OCTAVEs approach to the identification of potential
technological vulnerabilities is focused on those portions of the organizations infrastructure
that are key components for the critical assets. The identification of technological
vulnerabilities is achieved through the use of special tools (vulnerability assessment
scanners). OCTAVE provides managerial guidance and advice in identifying technical
vulnerabilities through security testing. Technical security testing of the information assets is
left to skilled technical personnel.
On the other hand, CRAMM is targeting a managerial level risk assessment, thus detailed
technical, system specific vulnerabilities which may be identified by vulnerability scanners are

analysis
not addressed by the CRAMM tool. Vulnerabilities are identified by asking questions to
support personnel from structured questionnaires and entering the answers in the CRAMM
tool. In this way CRAMM calculates an indicator of how serious each vulnerability is and the
likelihood that if a threat were to manifest that the vulnerability would be successfully
exploited. This indicator expresses the level of each vulnerability of each asset group as high,
medium or low.

analysis
6.4 Risk Analysis

OCTAVE guides the analysis team to use high, medium, and low criteria to describe the
impact that an exploitation of security vulnerability has on the organization under the
assumption that such a security breach occurs. This approach helps the analysis team to
calculate risks for each critical asset, and guides the organization to base priorities for risk
mitigation on the potential mission impact.
CRAMM calculates risks for each asset group against the threats to which it is vulnerable on a
scale of 1 to 7 using a risk matrix with predefined values by comparing asset values to threat
and vulnerability levels. On this scale, 1 indicates a low-level baseline security requirement
and 7 indicates a very high security requirement.
6.5 Control Recommendations

In OCTAVE, control recommendations occur as the culmination of the OCTAVE evaluation.
Based on the compiled results of the preceding OCTAVE processes, the analysis team
develops a set of recommended protection strategies, mitigation plans, and a list of near-term
action items for the organization. The mitigation plans identify how organizations are going to
address risks specific to the critical assets. Mitigation plans include actions and
countermeasures. These control recommendations are then presented to the senior
managers for their approval and resource commitment. The senior managers make final
adjustments to the recommended controls and define the next steps required to implement the
controls.
CRAMM based on the findings of the risk analysis, produces a set of countermeasures
applicable to the system or network which are considered necessary to manage the identified
risks. The recommended security profile will then be compared against existing
countermeasures to identify areas of weakness or over-provision. Each countermeasure is
marked with the security level on a scale of 1 (Very Low) to 7 (Very High) which is selected by
comparing the measure of risk. In the last activity of the CRAMM methodology management is
presented with a summary of the findings and conclusions from the risk analysis and also with
an explanation of the recommended countermeasures providing a broad indication of the
priority and costs involved in implementing them.

analysis
7 Conclusion
During the course of this paper it has become clear that Risk Assessment is a valuable tool
which can be used by modern organizations to assist them firstly to identify and rate the risks
associated with the use of their information systems and secondly to take the appropriate
measures to protect their information systems.
The paper also provided a detailed examination and comparison of the two most widely used
risk assessment methodologies OCTAVE risk assessment methodology and CRAMM risk
assessment methodology. The results from the comparison of the two methodologies are
shown below.
> OCTAVE methodology overcomes the challenge of calculating specific

monetary values for information assets by identifying and rating the
significance of information assets according to their relative importance to
the organization.
> In CRAMM risk assessment methodology assets are assigned with
specific monetary values.
> OCTAVE uses threat trees to identify threats and impacts to critical
information assets. This approach increases the ability of the risk
analysis team to better understand and evaluate threats to critical assets.
> In CRAMM methodology threats are investigated against selected asset
groups. Asking questions to support personnel from structured
questionnaires and entering the results in the CRAMM tool, threats are
identified. This way the likelihood of occurrence of each threat is
quantified and then is presented in a qualitative form as very high, high,
medium, low, very low.
> OCTAVE provides to an organization the ability to identify both
organizational and technological vulnerabilities.
> CRAMM is targeting a managerial level risk assessment, thus detailed
technical, system specific vulnerabilities which may be identified by
vulnerability scanners are not addressed by the CRAMM tool.
> OCTAVE guides the analysis team to use high, medium, and low criteria
to describe the impact that an exploitation of security vulnerability has on
the organization. This approach helps the analysis team to calculate risks
for each critical asset, and guides the organization to base priorities for
risk mitigation on the potential mission impact.
> CRAMM calculates risks for each asset group against the threats to
which it is vulnerable on a scale of 1 to 7 using a risk matrix with

analysis
predefined values by comparing asset values to threat and vulnerability

levels.
> The distinctive feature of OCTAVE is that in assessing risks to critical
assets it does not take into consideration probability.
> CRAMM utilizes both qualitative and quantitative measures.

analysis
8. References
1. V. Visintine. An Introduction to Risk Assessment August 8, 2003
2. S. Vidalis. A Critical Discussion of Risk and Threat Analysis Methods and Methodologies, University of
Glamorgan, School of Computing Technical Report CS-04-03, July 2004
3. W. G. Borman, L. Lubuschagne. A Comparative Framework for Evaluation Information Security Risk

management Methods, Rand Afrikaans University, April 2004
4. P. Stephenson. Forensic Analysis of Risks in Enterprise Systems, Eastern Michigan University
5. Information Security Risk Assessment Practices of Leading Organizations, GAO/AIMD-99-139

Information Security Risk Assessment, August 1999
6. J. Jaisingh, J. Ress. Value at Risk: A methodology for Information Security Risk Assessment,
Krannert Graduate School of Management, Purdue University.
7. CRAMM Management Guide, April 1996
8. Dr D. Brewer, Risk Assessment Models and Evolving Approaches, Available at:

http://www.gammassl.co.uk/topics/IAAC.htm.
9. C. Alberts, A. Dorofee, J. Stevens, C. Woody. Introduction to OCTAVE Approach, Software

Engineering Institute, Carnegie Mellon University, August 2003.
10. An Introduction to Computer Security: The NIST Handbook, National Institute of Standards and
Technology, Technology Administration,U.S. Department of Commerce, Special Publication 800-12
11. G. Stoneburner, A. Goguen, A. Feringa. Risk Management Guide for Information Technology
Systems, National Institute of Standards and Technology, Technology Administration,U.S. Department
of Commerce, Special Publication 800-30.
12. C. Alberts, A. Dorofee. OCTAVE Threat Profiles, Software Engineering Institute, Carnegie Mellon
University.
13. C. Alberts, A. Dorofee, J. Allen. OCTAVE Catalogue of Practises, Version 2.0, TECHNICAL
REPORT,CMU/SEI-2001-TR-020, ESC-TR-2001-020, Software Engineering Institute, Carnegie Mellon
University, October 2001.
14. C. Alberts, A. Dorofee. OCTAVE Criteria, Version 2.0, TECHNICAL REPORT, CMU/SEI-2001-TR-
016, ESC-TR-2001-016, Software Engineering Institute, Carnegie Mellon University, December 2001.

Risk Assessment

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Risk Assessment

Hochgeladen von

Copyright:

Verfügbare Formate

Risk Analysis A valuable tool for

organizations / comparative analysis

By Manolis Fragkos, BSc Finance, MSc Infosec

Monday, 13 February 2006

Commercial In Confidence Page 2 of 21

> What is risk with respect to information security?

> What are the key elements of risk assessment?

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 3 of 21

2 Defining and Calculating Risk

2.1 Quantitative Approach

ALE = SLE x APO

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 4 of 21

2.2 Qualitative Approach

Relative Risk = Asset Value x Vulnerability x Threat

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 5 of 21

3 The Value of Assessing Risk

> Identify gaps to its security posture.

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 6 of 21

3.1 Key Elements Risk Assessment Methodologies

> Identify and Assign Values to Assets

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 7 of 21

4 The OCTAVE Risk Assessment Methodology

4.1 OCTAVE Approach

> Build asset-based threat profile,

4.2 OCTAVE Processes

Phase 1: Build Asset-based Threat Profile

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 8 of 21

a) Processes 1 to 3: Identify Employee Knowledge

b) Process 4: Create Threat Profile

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 9 of 21

requirements for the critical assets as well as prioritizes the security

Phase 2: Identify Infrastructure Vulnerabilities

a) Process 5: Identify Key Components

b) Process 6: Evaluate Selected Components

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 10 of 21

Phase 3: Develop Security Strategy and Plans

a) Process 7: Conduct Risk Analysis

b) Process 8: Develop Protection Strategy

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 11 of 21

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 12 of 21

5 The CRAMM Risk Assessment Methodology

5.1 CRAMM Approach

CRAMMs methodology focuses on identifying risks to important assets and implementing

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 13 of 21

5.2 CRAMM Processes

d) Risk Assessment - Analysis

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 14 of 21

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 15 of 21

6 Comparing the Two Risk Assessment Methodologies

Commercial In Confidence Obrela Security Industries Prepared By Manolis Fragkos

Commercial In Confidence Page 16 of 21