Beruflich Dokumente
Kultur Dokumente
1 Introduction
We are living in an Information Society. Over the past few years there has been a rapid
development of Global IT infrastructures, which has allowed the movement of information
within and between organizations and cross national borders. This growth of IT infrastructures
and computer networks is fundamentally shifting the way information is managed today. In this
environment, where almost every organization is increasing its reliance on information and
computer processing facilities, new dependencies and new risks are born.
As more and more organizations open their internal networks to customers, business partners
and suppliers, they must make sure that information remains available and trustworthy yet
protected from intrusion. Information is a valuable business asset and it needs to be protected
to ensure business continuity, minimize business damage and maximize return on investment
and business opportunities.
Today, organizations need to realize that in order to protect their information assets in an
effective and efficient way they must understand what are the risks associated with the use of
their information systems. In this context, a risk assessment methodology represents a
valuable tool which can be used by modern organizations to assist them firstly to identify and
rate the risks associated with the use of their information systems and secondly to take the
appropriate measures to protect their information systems. The purpose of this paper is to
address the issue of risk with respect to information security and to answer the following
questions:
The SLE is the total amount of revenue that is lost from a single occurrence of the risk. It is a
monetary amount that is assigned to a single event that represents the organizations potential
loss amount if a specific threat exploits a vulnerability. The SLE is calculated by multiplying
the Asset Value by the Exposure Factor. The Asset Value is, as the name suggests, the total
value of an asset. The Exposure Factor represents the percentage of loss that a realized
threat could have on a certain asset. The APO is the number of times (frequency) that an
organization expects the risk to occur during one year. These two factors are combined to
produce the ALE which is essentially the monetary risk for a given asset with respect to
certain exposures or threats. When all assets and exposures have been identified and
factored together, an overall assessment of the monetary risk can be obtained.
The quantitative approach is the standard way of measuring risk in finance, insurance etc.
However this approach is not the most appropriate to use when it comes to risk measuring in
information security. There are many reasons to support this view and some of them are
shown below:
There is limited data on risk factors, such as the likelihood of a sophisticated hacker attack
and the costs of damages, loss, or disruption caused by events that exploit security
weaknesses (i.e. the lack of statistical information that would make it possible to determine
frequency). Some costs such as loss of consumer confidence are difficult to measure.
Although the costs of the hardware and software needed to strengthen controls may be
known, it is often not possible to precisely estimate the related indirect costs, such as the
possible loss of productivity that may result when new controls are implemented.
Even if precise information is available, it will soon be out of date due to fast paced changes in
technology and factors such as improvements in tools available to intruders.
Organizations that have tried to meticulously apply all aspects of quantitative approach have
found the process to be extremely costly. Such attempts usually take a very long time to
complete their first full cycle, and they usually involve a lot of staff members arguing over the
details of how specific monetary values were calculated.
This lack of reliable and current data often prohibits accurate determinations. Because of this
limitation, it is important that organizations identify and employ methods that efficiently
achieve the benefits of risk assessment while avoiding costly attempts to develop seemingly
precise results that are of questionable reliability.
As we have already mentioned the key elements of the qualitative approach are: Asset Value,
Vulnerability, Threats and Controls. As with the quantitative approach an asset is anything of
value. For example this could be a server, it could be data, or could be an organizations
reputation. In terms of risk assets is what we want to protect. A vulnerability is anything that it
could be exploited to gain access or deny access to an asset. Vulnerabilities exist because
most of the time assets lack of protection. If controls (means of protection) were put into place
the vulnerabilities would be reduced. A threat is anything or anyone that can exploit a
vulnerability to obtain, alter or deny access to an asset.
A risk is created when an undertaking activity makes an asset vulnerable and there are
threats that can exploit the vulnerability. So the risk can be represented mathematically
according to the following formula:
If the asset value is high, the vulnerability is high and the threat is high then the risk is high. If
all are low then the risk is low. Conversely the asset may be very valuable but the vulnerability
and threat may be extremely low. In this case risk is low. Thus all elements of risk Asset
Value, Vulnerability, Threat contribute to the level of risk associated with a given activity or
situation.
The main difference between the quantitative approach and the qualitative approach is in the
details used to determine risks. In the qualitative approach comparisons between the value of
one asset and another are relative, and participants do not invest a lot of time trying to
calculate precise financial numbers for asset valuation. The same is true for calculating the
possible impact from a risk being realized and the cost of implementing controls. The benefits
of a qualitative approach are that it overcomes the challenge of calculating accurate figures for
asset value, cost of control, and so on, and the process is much less demanding on staff.
Using a qualitative approach to determine risks can typically start to show significant results
within a few weeks, whereas most organizations that choose a quantitative approach see little
benefit for months, and sometimes even years, of effort.
Having identified the key elements of a risk assessment methodology, in the next three
sections of this paper we continue our discussion by presenting and comparing two of the
most widely used risk assessment methodologies - these are OCTAVE and CRAMM risk
assessment methodologies.
OCTAVE does not take the probability component of threat into consideration when
determining risk, and uses a qualitative approach to valuation.
Through the process the analysis team identifies critical assets and focuses the risk analysis
activities on those assets. This is referred to as an asset-driven evaluation approach. The
participants of the workshops are employees from tactical, strategic and operational levels.
Workshops can either be facilitated discussions where employees participate, or workshops
where the risk analysis team conducts activities on their own.
During the identification of employee knowledge processes the three key areas that have
been identified by OCTAVE are senior management, operational area management and staff
knowledge. Each of the above three employee levels correspond to a process.
There are four activities that have to be performed within each of these three processes. They
are:
> Identify assets and relative priorities Information related assets that
enable employees to perform their job are identified. From this activity a
small number of assets are isolated and will form the focus for the
remaining assessment processes.
> Identify areas of concern Analysis participants identify areas that
concern them on how the most important assets can be threatened.
Known threat sources and outcomes of threat prompts assist in
developing scenarios.
> Identify security requirements for most important assets Certain
qualities of an asset are important to the organization. This activity is
geared towards identifying those qualities and translating them into
security requirements on which to focus.
> Capture knowledge of current security practices and organizational
vulnerabilities Organizations have to establish their current position of
information security before continuing to protect the assets. Best practice
codes and security standards provide guidance and benchmarking
information.
Process 4 serves two functions. The functions are consolidating the information that was
gathered during the preceding processes, and setting the scope for the rest of the processes.
Creating threat profiles consists of three primary activities. They are:
> Select critical assets The team determines which assets will have a
large adverse impact on the organizations if the identified security
requirements of the assets are violated.
> Refine security requirements for critical assets Security requirements
were identified in a preceding activity. This activity refines those security
Phase 2 is also known as the technology view. Whereas the first phase focused on the
organizational view and constructed an employee or human view of the organizational assets
and threats, this view focuses on the organizational computing infrastructure. The goal of this
phase is to identify any technological vulnerabilities in the system. This phase focuses on the
parts that were identified in the previous phase as critical assets.
Information from the preceding processes is used to determine how to evaluate the
organizations computing infrastructure for technological vulnerabilities. During this process
key classes of components are identified, for instance servers, laptops and wireless
components. These classes assist in selecting specific components, evaluation processes
and the extent to which the vulnerabilities will be evaluated.
This processs primary goal is data collection and analysis. This goal is achieved by a single
activity which is reviewing technology vulnerabilities and summarizing the results. Prior to this
processs workshop, tools should be used to determine the technological vulnerabilities of the
selected components of the critical assets. At the end of the preliminary technology
vulnerability assessment and workshop, a summarized vulnerability report with interpretation
is produced by the risk analysis team.
Phase 3s goal is to make sense of the information gathered during the two preceding phases.
The human and technological views are consolidated to provide a picture of the
organizational risk view. During this phase the risk analysis team develops security strategies.
In order to develop security strategies the identified risks have to be analyzed first.
This process is the starting point of linking the identified critical assets to what is important for
the organization. The activities of process 7 are:
> Identify the impact of threats to the critical assets This activity links the
impact a threat has on an asset with that asset, which is important for an
organization as it brings the components in context with the objectives of
the organization.
> Create risk evaluation criteria This activity defines the risk tolerance of
the organization. A single set of criteria is created; there is no evaluation
criteria set per asset.
> Evaluate the impact of threats on the critical assets The previous two
activities lead to the evaluation of impacts of threats on the critical assets
that will assist in guiding the risk mitigation strategy.
The previous process provides enough information for the team to develop tactical and
strategic solutions to manage information security risk within the organization. This process
consists of four activities.
> Review risk information During this activity the information that was
gathered during the preceding process is gathered and reviewed.
> Create protection strategy A protection strategy defines the strategy
that an organization is undertaking to manage its internal security. The
protection strategy incorporates short- to long-term activities. A Catalog
of Practices provided by the methodology can be used during this
activity.
> Create mitigation plans The mitigation plans identify how organizations
are going to address risks specific to the critical assets. Mitigation plans
include actions and countermeasures.
> Create action list An action list is the actions that the organization is
going to take in the near future without specific unspecialized activities,
for instance policy changes or formal employee training.
CRAMM defines risk as a function of two separate components: the likelihood that an
unwanted incident will occur and the impact that will result from the incident. CRAMM consists
of two distinct processes: analysis and management.
CRAMM has an extensive control database. This control database consists of over 3 000
security controls, which are constantly updated. Whenever a control is proposed by the
software supporting information such as control motivation, cost, benefits, expected
advantage and control type are provided.
a) Assets - Analysis
Critical assets are determined through interviews. The interviewer creates asset groups on the
basis of how physical assets, software and hardware interrelate. The physical assets are
valued on the replacement value and data assets on the business impact if the data is
compromised. Data assets and their values are determined by data owners. The valuation
step provides the impact component of risk. The data values are determined by discussing the
worst-case scenarios for each of the security requirements.
Although CRAMM assigns a replacement value to the physical asset and an estimated
business value to the data asset, they are grouped together into asset groups. The asset
groups are utilized in order to speed up the risk analysis process.
b) Threats - Analysis
A threat assessment involves identifying and assessing the level of threat to the assets of a
system. The level of threat is measured as a likelihood of occurrences. Threats are identified
for asset groupings and not individual assets. CRAMM provides lists of types of threats that
can be linked to asset groups. Threats are identified through structured questionnaires that
are produced by CRAMM. Threats can be assigned a qualitative value on a five-point scale
ranging from very low, low, medium, high to very high.
c) Vulnerability - Analysis
Vulnerability is a measure of inherent weakness within the system or network. Threat and
vulnerability assessment deliver the likelihood component of risk assessment. Qualitative
values are assigned for vulnerability rating. These ratings are low, medium or high.
The risk value is calculated within the CRAMM software product. During the automated risk
estimation, referred to as MOR (Measure of Risk), a value is calculated for each threat to all
assets in an asset group, assets that depend on or are depended on and all types of impact
that could result from the threat.
e) Countermeasure - Management
Countermeasures are recommended by the CRAMM tool according to the calculated measure
of risk. The controls are drawn from a variety of authoritative sources which include the UKs
Security Authorities, BS 7799, and the Information Technology Security Evaluation Criteria
and Insight Consultants. The proposed controls have to be evaluated against the budget,
practical implementation issues and the existing countermeasures.
f) Implementation - Management
The countermeasures that are recommended in the previous step have to be implemented.
These countermeasures are recommended from a database within CRAMM but the software
package does not take into consideration the environment in which the organization finds
itself. CRAMM proposes the most effective controls. However, certain controls can mitigate
more than one risk and this decision or correlation will have to occur during the
implementation process.
g) Audit - Management
A benefit outlined by CRAMM is audit ability of the CRAMM review. At each step of the
CRAMM processes review can be conducted on the past processes. CRAMM further allows
for the audit on the suitability and status of security controls on an existing system. CRAMM is
an information security risk assessment methodology that focuses more on the technical
nature, whereas some other methodologies focus on the business view of risk assessment.
On the other hand, in CRAMM risk assessment methodology assets are assigned with
specific monetary values. In CRAMM methodology the evaluation of critical information assets
is regarded sometimes as a speculative activity, since it depends on who and when processes
them. In CRAMM, critical information assets are determined through interviews with data
owners. Sometimes this part of CRAMM risk assessment could be very difficult, since it may
be hard to identify data (or business processes) owners. In addition the interviewer creates
asset groups on the basis of how physical assets, software and hardware are interrelate. This
is a dangerous operation as each asset has unique attributes and it only takes an exploitation
of one to create a security breach. The values of physical assets are determined in terms of
their replacement or reconstruction value, while the value of data assets is determined by
data owners by discussing worst case scenarios and outlining the possible consequences of
the data being unavailable, modified and disclosed. This approach however can be regarded
as a shortcoming since worst-case scenarios can be extremely unlikely in the real world and
can easily be used to distort a situation.
In OCTAVE, the use of threat trees for each threat category allows the analysis team to trace
each threat sources access point, motivation, and the potential outcome of the threat in
general terms such as disclosure, modification, loss, destruction, and interruption. This
approach increases the ability of the risk analysis team to better understand and evaluate
threats to critical assets.
In CRAMM methodology threats are investigated against selected asset groups. CRAMM has
predefined tables for threat/asset group and threat/impact combinations. Threats are identified
by asking questions to support personnel from structured questionnaires, and entering the
answers in the CRAMM tool. In this way CRAMM calculates an indicator of the likelihood of an
accidental or deliberate threat actually manifesting. This indicator expresses the level
(likelihood of occurrence) of each threat to each asset group as very high, high, medium, low,
very low.
On the other hand, CRAMM is targeting a managerial level risk assessment, thus detailed
technical, system specific vulnerabilities which may be identified by vulnerability scanners are
not addressed by the CRAMM tool. Vulnerabilities are identified by asking questions to
support personnel from structured questionnaires and entering the answers in the CRAMM
tool. In this way CRAMM calculates an indicator of how serious each vulnerability is and the
likelihood that if a threat were to manifest that the vulnerability would be successfully
exploited. This indicator expresses the level of each vulnerability of each asset group as high,
medium or low.
CRAMM calculates risks for each asset group against the threats to which it is vulnerable on a
scale of 1 to 7 using a risk matrix with predefined values by comparing asset values to threat
and vulnerability levels. On this scale, 1 indicates a low-level baseline security requirement
and 7 indicates a very high security requirement.
CRAMM based on the findings of the risk analysis, produces a set of countermeasures
applicable to the system or network which are considered necessary to manage the identified
risks. The recommended security profile will then be compared against existing
countermeasures to identify areas of weakness or over-provision. Each countermeasure is
marked with the security level on a scale of 1 (Very Low) to 7 (Very High) which is selected by
comparing the measure of risk. In the last activity of the CRAMM methodology management is
presented with a summary of the findings and conclusions from the risk analysis and also with
an explanation of the recommended countermeasures providing a broad indication of the
priority and costs involved in implementing them.
7 Conclusion
During the course of this paper it has become clear that Risk Assessment is a valuable tool
which can be used by modern organizations to assist them firstly to identify and rate the risks
associated with the use of their information systems and secondly to take the appropriate
measures to protect their information systems.
The paper also provided a detailed examination and comparison of the two most widely used
risk assessment methodologies OCTAVE risk assessment methodology and CRAMM risk
assessment methodology. The results from the comparison of the two methodologies are
shown below.
8. References
2. S. Vidalis. A Critical Discussion of Risk and Threat Analysis Methods and Methodologies, University of
Glamorgan, School of Computing Technical Report CS-04-03, July 2004
6. J. Jaisingh, J. Ress. Value at Risk: A methodology for Information Security Risk Assessment,
Krannert Graduate School of Management, Purdue University.
10. An Introduction to Computer Security: The NIST Handbook, National Institute of Standards and
Technology, Technology Administration,U.S. Department of Commerce, Special Publication 800-12
11. G. Stoneburner, A. Goguen, A. Feringa. Risk Management Guide for Information Technology
Systems, National Institute of Standards and Technology, Technology Administration,U.S. Department
of Commerce, Special Publication 800-30.
12. C. Alberts, A. Dorofee. OCTAVE Threat Profiles, Software Engineering Institute, Carnegie Mellon
University.
13. C. Alberts, A. Dorofee, J. Allen. OCTAVE Catalogue of Practises, Version 2.0, TECHNICAL
REPORT,CMU/SEI-2001-TR-020, ESC-TR-2001-020, Software Engineering Institute, Carnegie Mellon
University, October 2001.
14. C. Alberts, A. Dorofee. OCTAVE Criteria, Version 2.0, TECHNICAL REPORT, CMU/SEI-2001-TR-
016, ESC-TR-2001-016, Software Engineering Institute, Carnegie Mellon University, December 2001.