1、A Framework for Comparing Different Information Security Risk Analysis Methodologies Anita Vorster, Les Labuschagne,Ajay Kumar IduriSushma Sachidanand Quang Tran Vinh,Overview,Introduction Information Security Risk Management Methodologies Criteria on which Framework is based The Framework for Compa
2、rison How the Framework should be used Strengths and Weakness of this proposed Framework Conclusion References,Introduction,Information security is an organizations approach to maintaining confidentiality, availability, integrity, nonrepudiation,accountability, authenticity and reliability of its IT
3、 systems Currently there are numerous risk analysis methodologies available some of which are qualitative while others are quantitative in nature These methodologies have a common goal of estimating the overall risk value,Introduction,An easy-to-use framework is required to compare information secur
4、ity risk analysis methodologies The best way to choose between methodologies is to compare them, using objective, quantifiable criteria This is where a framework for comparison is needed If the criteria that are used are applicable to all risk analysis methodologies, the organization can compare dif
5、ferent methodologies objectively, and decide on the best one,Alternative Frameworks,The framework proposed by Badenhorstindicates whether a methodology addresses a criterion or not It does not use scales, or trade-offs which can aid the organization in choosing a methodology which will best meet the
6、ir needs This shows the need for more Comparative Frameworks,Information Security Risk Management Methodologies,The Methodologies can be broadly classified into two categories Quantitative Methodologies Qualitative Methodologies Both qualitative and quantitative methodologies were evaluated for deve
7、loping the framework Different risk analysis methodologies were analyzed to determine common criteria for comparison,Qualitative Methodologies,The qualitative methodologies considered for this framework are OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) The CORAS (Constru
8、ct a platform for Risk Analysis of Security Critical Systems) methodology,Quantitative Methodologies,The quantitative methodologies considered for this framework are ISRAM (Information Security Risk Analysis Method) Cost-Of-Risk Analysis (CORA) Information Systems (IS) analysis based on a business m
9、odel The above methodologies were chosen because they have been well documented,OCTAVE,OCTAVE was developed at the CERT Coordination Center (CERT/CC) Cert Coordination Center 2003 This approach concentrates on assets, threats and vulnerabilities One of the main concepts of OCTAVE is self-direction,
10、the people inside the organization must lead the information security risk evaluation An analysis team, consisting of staff from the organizations business units as well as the IT department, is responsible for leading the evaluation and recording results,OCTAVE,The OCTAVE approach has three phases,
11、 with each broken down into processes Each process has certain activities that must be completed, and within each of these activities, different steps must be taken in order to achieve the desired outputs The final result that risk decisions can be based on is the threat profile of different assets
12、Each threat profile contains information on which mitigation decisions can be based,CORAS,CORAS was developed under the Information Society Technologies (IST) program One of the main objectives of CORAS is to develop a framework that exploits methods for risk analysis, semi-formal methods for object
13、-oriented modeling, and computerized tools, for a precise, unambiguous, and efficient risk assessment of security critical systems The methodology is based on UML a language that uses diagrams to illustrate relationships and dependencies between users and the environment in which they work,CORAS,Dur
14、ing an information security risk analysis, a great deal of information is brainstormed, and during workshops and discussions, different people (users, system developers, analysts, system managers), with different expertise in different fields come together, give their opinions and share information
15、A way in which all the participants can communicate efficiently and understand each other must therefore exist and a UML profile, proposed by the CORAS project, is used to achieve this,CORAS,The framework has four main pillars, of which risk management is one. In CORAS, the final result on which dec
16、isions can be based is the UML class diagrams of each asset,ISRAM,The ISRAM methodology was developed at the National Research Institute of Electronics and Cryptology and the Gebze Institute of Technology in Turkey It is marketed as a quantitative approach to risk analysis that allows for the partic
17、ipation of the manager and staff of the organization and a survey-based model Two separate and independent surveys are conducted for the two attributes of risk, namely probability and consequence,ISRAM,ISRAM does not use techniques such as Single Occurrence Losses (SOL) or Annual Loss Expectancy (AL
18、E), instead, the risk factor is a numerical value between 1 and 25 This numerical value corresponds to a qualitative, high, medium or low value, and it is this qualitative value on which risk management decisions are based,CORA,International Security Technology, Inc. (IST) developed CORA, the Cost-O
19、f-Risk Analysis system The CORA risk model uses data collected about threats, functions and assets, and the vulnerabilities of the functions and assets to the threats to calculate the consequences, that is, the losses due to the occurrences of the threats,CORA,It is a methodology where the risk para
20、meters are expressed quantitatively and where losses are expressed in quantitative monetary termsCORA uses a two-step process to support risk management. Parameters for threats, functions and assets are validated and refined until the best values are determined,CORA,CORA then calculates SOL and ALE
21、for each of the threats identified It estimates a single loss value for a threat to an organization, and then multiplies this value by the frequency of the threat occurrence,IS Risk Analysis based on a Business Model,The IS Risk Analysis Based on a Business Model was developed at the Korea Advanced
22、Institute of Science and Technology This model was developed because traditional risk analysis methodologies had some limitations It takes an assets value and then not only bases the analysis on its replacement cost, but also measures the tangible assets value from the viewpoint of operational conti
23、nuity,IS Risk Analysis,The methodology has four stages During this methodology, the importance level of various business functions of the business model and the necessity level of various IS assets are determined Mathematical formulae are used to calculate ALE for a single threat occurrence on the o
24、rganization The end result is a quantitative monetary value,Criteria for the Framework,Whether risk analysis is done on single assets or groups of assets Where in the methodology risk analysis is done The people involved in the risk analysis The main formulae used Whether the results of the methodol
25、ogy are relative or absolute,Criteria for the Framework,Each criterion has a scaling The scaling indicates the level of a criterion based on certain trade-offs In the end a compliance factor must be selected to indicate how relative the criterion is to a methodology,Whether Risk Analysis is done on
26、Single Assets or Group of Assets,Criteria can either take on a value of 1 or 2, as follows: 1: if risk analysis is done on individual assets 2: if risk analysis is done on groups of assets In the case of the OCTAVE and CORAS methodology, the risk analysis is done on a single asset If the end result
27、is a single value for a threat scenario that can affect more than one asset, the risk analysis is done on a group of assets, such as in the case of the CORA ,ISRAM and IS Business model methodology,Where in the Methodology Risk Analysis is Done,This criterion explains where in the methodology risk a
28、nalysis takes place Some preparation, where values for information are estimated, must be done before risk analysis can be performed Some risk analysis methodologies may require more values for different information to be estimated than other methodologies,Where in the Methodology Risk Analysis is D
29、one,OCTAVE needs values for impact and probability IS Risk Analysis Based on a Business Model needs values for probability, income loss, replacement cost and relative importance of business functions Methodology that needs little preparation and less information is CORA An accurate risk analysis, mo
30、re preparation means more detailed results, thus ISRAM would be a better option,Scale for this Criterion,The scale for this criterion is based on a trade-off between time and accuracy. If time is most important 1: Risk analysis done after extensive preparation 2: Risk analysis done after some prepar
31、ation 3: Risk analysis done after little preparation If accuracy is most important 1: Risk analysis done after little preparation 2: Risk analysis done after some preparation 3: Risk analysis done after extensive preparation,The People Involved in the Risk Analysis,The people involved in the risk an
32、alysis can either be internal or external to the organization CORA uses external risk experts to perform the risk analysis, whereas OCTAVE uses internal personnel exclusively,Scale for this Criterion,The scale for this criterion is based on a trade-off between cost and expertise If cost is most impo
33、rtant, values are as follows: 1: Risk analysis is performed by external experts 2: Risk analysis is performed by external and internal people 3: Risk analysis is performed by internal people If expertise is most important, values are as follows: 1: Risk analysis is performed by internal people 2: Ri
34、sk analysis is performed by external and internal people 3: Risk analysis is performed by external experts,The Main Formulae Used,Some methodologies use mathematical formulae while others use an expected value matrix The main formula shows the magnitude of calculations that need to be done, thus ind
35、icating the complexity of the risk analysis The scale for this criterion is based on a trade-off between simplicity and accuracy,Scale for this Criterion,If simplicity is most important, values are as follows: 1: Risk analysis involves extensive mathematical calculations 2: Risk analysis involves so
36、me but simple mathematical calculations 3: Risk analysis involves no mathematical calculations If accuracy is most important, values are as follows: 1: Risk analysis involves no mathematical calculations 2: Risk analysis involves some but simple mathematical calculations 3: Risk analysis involves ex
37、tensive mathematical calculations,Whether the Results of the Methodology are Relative or Absolute,Some methodologies produce results that are relative. This means that there is no relationship between results and they cannot be compared Other methodologies produce results that are absolute and can b
38、e compared The scale for this criterion is based on a trade-off between a methodology providing merely a ranking of risks, or a methodology that can calculate how much greater one risk is over another,Scale for this Criterion,If merely ranking of risks is most important, values are as follows: 1: Re
39、sults are comparable 2: Results are not comparable If the differences between risks (how much greater one is over another) are most important, values are as follows: 1: Results are not comparable 2: Results are comparable,The Framework for Comparison,The Main Formulae Used in OCTAVE,The OCTAVE metho
40、dology uses an Expected Value Matrix to determine a risks expected value. The main formula is: Loss = Impact/consequence x Probability,The Main Formulae Used in CORAS,The CORAS methodology also uses the impact and probability approach. Loss = Impact x Probability,The Main Formulae Used in ISRAM,The
41、Main Formulae Used in CORA,ALE = Consequence x Frequencyconsequence = n(individual SOLs) n the number of single occurrence losses, and SOL = loss potential (worst case monetary value) x vulnerability CORA uses some, but not extensive mathematical calculations. It gets a value of 2 for both simplicit
42、y and accuracy,The Main Formulae Used in IS,IS Risk Analysis Based on a Business Model uses the following:,How the Framework Should be Used,The use of the framework is rather simplistic, which allows for use by more organizations Firstly the organization must identify their specific needs. Then, bas
43、ed on the scales of each criterion as defined earlier, the organization must determine values for the specific methodologies they want to compare,Strengths,Can be applied to various risk analysis methodologies Takes the requirements of an organization into account It uses scales based on different s
44、cenarios and trade-offs Can give an indication of which assets and people will be needed for the risk analysis as based on the requirements of the organization,Weakness,Not taking the customization of a methodology into account The OCTAVE methodology can be tailored to fit the needs of an organizati
45、on Not all processes have to be performed, which can influence the place where risk analysis fits into the methodology The preparation required can therefore be reduced The risk analysis based on the requirements of an organization,Weakness,The existence of other criteria, not presented by the frame
46、work There are many other risk analysis methodologies, such as CRAMM and there are also baselines, which cover a wider variety of information security aspects, such as the ISO 17799 framework and which can be used to define other criteria,Conclusion,Numerous methodologies are currently available and
47、 many organizations are faced with the daunting task of determining which one to use The goal was to develop an easy-to-use framework that organizations can employ to compare different information security risk analysis methodologies The main benefit lies in the ability to eliminate the majority of
48、methodologies that are unsuitable and to only further investigate the few that remain,References,A Framework for Comparing Different Information Security Risk Analysis Methodologies ANITA VORSTER And LES LABUSCHANGE BADENHORST, K.P, ELOFF, J.H.P, AND LABUSCHAGNE, L, 1993, A comparative framework for
49、 risk analysis methods, Computers & Security CERT COORDINATION CENTER, 2003, The OCTAVE approach, http:/www.cert.org/ FREDRIKSEN, R, KRISTIANSEN, M, GRAN, B, AND STOLEN, K, 2001. The CORAS framework for a model-based risk management process, http:/ INTERNATIONAL SECURITY TECHNOLOGY Inc (IST Inc). 2000. Managing risks using CORA, PowerPoint presentation www.ist-,
