information security risk management framework: … · 1 information security risk management...
TRANSCRIPT
1
Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation
(Case Study)
Jing Zhang
Master of Science (Computer and Information Science)
School of Computer and Information Science
University of South Australia
Supervisor: Dr. Raymond Choo
October 2012
2
Table of Contents
Abstract ......................................................................................................................... 5
Acknowledgement ........................................................................................................ 6
1 Introduction ........................................................................................................... 7
1.1 Cyber threat landscape.......................................................................................... 7
1.2 Motivation ............................................................................................................... 8
1.3 Introduction of China Aerospace industry .......................................................... 9
1.4 Field of thesis ........................................................................................................ 10
1.5 Research question ................................................................................................ 10
2 Literature review ................................................................................................ 12
2.1 Standards .............................................................................................................. 12
2.1.1 NIST Information Risk Management Framework ...................................... 12
2.1.1.1 Risk assessment ............................................................................... 12
2.1.1.2 Risk mitigation ................................................................................. 15
2.1.1.3 Evaluation and Assessment.............................................................. 17
2.1.2 ISO 31000 ................................................................................................... 17
2.1.2.1 Risk assessment ............................................................................... 18
2.1.2.2 Monitor and review .......................................................................... 19
2.1.2.3 Monitoring and continual improvement of the framework .............. 19
2.1.3 ENISA ......................................................................................................... 19
2.1.3.1 Corporate risk management strategy ............................................... 19
2.1.3.2 Risk assessment ............................................................................... 20
2.1.3.3 Risk analysis and evaluation ............................................................ 20
2.1.3.4 Risk treatment .................................................................................. 20
2.1.3.5 Monitor and review .......................................................................... 21
2.2 literature gap ........................................................................................................ 22
2.2.1 Risk assessment .......................................................................................... 22
2.2.1.1 Context Establishing ........................................................................ 23
2.2.1.2 Risk identification ............................................................................ 23
2.2.1.3 Risk analysis .................................................................................... 24
2.2.1.4 Risk evaluation................................................................................. 25
2.2.2 Risk treatment ............................................................................................. 26
2.2.3 Monitoring and Improvement ..................................................................... 29
2.2.4 Differential of three frameworks ................................................................ 30
2.2.4.1 Communication process ................................................................... 30
2.2.4.2 Mandate and commitment ................................................................ 30
2.2.4.3 Design of the framework for managing risk .................................... 31
3 Case study ............................................................................................................ 33
3.1 Overview of case study company ........................................................................ 33
3.2 Overview of threat landscape ............................................................................. 34
3
3.3 Overview of information security measures ...................................................... 36
3.3.1 Risk management framework ..................................................................... 36
3.3.1.1 Risk management process ................................................................ 37
3.3.1.2 Implementation plan ........................................................................ 42
3.3.2 Case study company risk mitigation plan ................................................... 45
3.3.2.1 Application level security control .................................................... 46
3.3.2.2 Data level security control method .................................................. 48
3.3.2.3 Technical security control ................................................................ 50
3.4 Discussion and improvement .............................................................................. 51
3.4.1 Comparison ................................................................................................. 51
3.4.1.1 Risk identification ............................................................................ 51
3.4.1.2 Risk analysis .................................................................................... 52
3.4.1.3 Risk treatment (mitigation) .............................................................. 52
3.4.2 Possible improvements for case study company framework ...................... 54
3.4.2.1 Risk identification and analysis ....................................................... 54
3.4.2.2 Risk treatment .................................................................................. 55
4 Conclusion ........................................................................................................... 58
References ................................................................................................................... 60
4
List of tables
Table 1 Terminology and risk management phase .............................................. 22
Table 2 Risk matrix example ............................................................................... 26
Table 3 Approach for control implementation (Stoneburner & Goguen 2002) ... 28
Table 4 Technical control category (Stoneburner & Goguen 2002) .................... 28
Table 5 Management control category (Stoneburner & Goguen 2002) .............. 29
Table 6 Operational control category (Stoneburner & Goguen 2002) ................ 29
Table 7 Element in implementation plan ............................................................. 54
5
Abstract
Information is increasingly seen as the most valuable (intellectual) property of a
company, and information security is increasingly important in today’s information
age. Although no particular technology can entirely mitigate information security
risks, a significant proportion of existing breaches can be minimised by using good
information security risk management framework.
In this thesis, I examined three widely used international risk management
frameworks: NIST SP800-30 (National institute of Standard and Technology), ISO
(International Organisation for Standardisation) 31000 and ENISA (European
Network and Information Security Agency). Using China Aerospace Systems
Engineering Corporation as a case study, we studied the existing information security
risk management framework used by the company. Then identified how the three
international risk management frameworks can be adapted by the company in order to
gain more effective mitigate against the information security risk.
6
Acknowledgement
I am wholeheartedly thankful to my supervisor, Dr. Raymond Choo, who has
mentored me, encouraged me and supported me during my minor thesis period. The
knowledge of risk framework and cyber threat which he taught me, it really helps me
to achieve the gold of this thesis. It is truly appreciated when I face any difficulties;
the guide from him is always leading me to conquer the issue and bring more deep
understanding of the research filed for me.
Besides my supervisor, I also want to thank Professor Jiuyong Li for help me
understand the method and meaning of research concept and the essence of research
and provide valuable idea which helped me conduct my thesis work.
7
1 Introduction
1.1 Cyber threat landscape
Information technology has been widely invented and improved in recent decades.
Along with the convenient and effective working flow which provides and promotes
by massive information technology, E-commerce has become the more popular than
ever before (Amoroso 2011). However, with the improvement of the information
technology, the negative influences have been raised in recent years. Potential risks
related with personal information, such as losing Email account, Internet Banking
account, mobile password, and social network password, have been serious problems
caused by cybercrime – a type of information attack method which operates through
the Internet (Choo 2011).
With the separation of cybercrime in the world area, almost every country will face
the problems which related with information technology security breach. For some
specific countries such as America, Japan and England, the cybercrime has increased
rapidly during recent decades (Choo 2011 & Gordon 2011). According to the Gordon
(2011), the United States will lost 75 billion USD each year, even though it has the
most advanced technology and risk management strategy. It is also normal to see that
some valuable and classified files in the senior officers’ computers, including military
material, corporate economic situation and future planning, etc. have been stolen. The
consequence is obviously clear that no matter the reason for attack, it will bring
financial lost, corporate morale as well as declined reputation. Therefore, this kind of
attacks has profound negative effect on companies and governments (Choo 2011 &
Gordon 2011).
Recent years with the high-speed development and innovation with the IT facilities,
cybercrime has become more frequent and the large number of corporations was
8
suffered or experienced cyberattacks. The viruses in database server steal the
administrators’ account and password. These viruses are not the only threat, spam
emails which contain the malware or phishing material and the illegal remote access
which connects with targeted computers in companies also lead to data lost (Amoroso
2011 & Choo 2011). Attacking methods such as email spoofing, phishing, malware
have been widely used by hackers to conduct cyber-attack (Mathew et al. 2010). In
addition, there are lots of attacks or lost have not been detected when it happen (Choo
2011). Therefore, the potential lost could not calculate accurately and precisely.
Example of cyber-attack source:
1. Counterfeit Software and Hardware
The copyright software could prevent the major security issues through different
methods: update permission, non-modified version, etc. Without the prevention,
attackers could implement malware into the system and get the privilege permission
to control the computer, data centre and server (National 2011). A large number of
corporations do not use copyright software when staff processes their daily jobs. Even
the operation system is copyright, such as Mac OS, Window serial or Linux, the
Counterfeit Software has been widely used by staff in different companies, such as
Microsoft Office, Photoshop, AutoCAD, etc. (Microsoft 2011).
2. Employee training issue
It is suggested for every company has the security training session for the employee
before they work for their corporations (Choo 2011). It will include the protection
policy for company confidential file, the operational process to maintain the protected
file, the method to create and transfer the file between company equipment. However,
although the training is set by company, sometimes many employees are hard to obey
1.2 Motivation
The above issue could be eliminated by many methods, such as building up the
security policy, hardening the employee training session and accessing the training
regularly, etc. All the methods that can decrease these risks could be categorised into
the subcategory of risk management framework in the organisation. With the
appropriate standard built and implemented in the organisation, it could maximum the
9
security level of the company and prevents the company to avoid possible attack, such
as cyber-attack, internal issue, environmental disaster, etc.
There are large numbers of risk framework which used by different organisations and
countries. This research will mainly analyse and evaluate three different risk
management frameworks: NIST (National institute of Standard and Technology), ISO
31000 and ENISA (European Network and Information Security Agency). Each
framework has different advantages and those advantages had been widely discussed
by many researchers (Ekelhart et al. 2009 & Tohidi 2011). A meaningful and valuable
research should be conducted in my research to examine the question which is the
differences between case study company framework and international standards, the
limitation and performance of company framework, etc
1.3 Introduction of China Aerospace industry
China Aerospace Corporation had been divided into two corporations in 1999. There
are China Aerospace and Technology Corporation (CASC) and China Aerospace and
Industry Corporation (CASIC) (Medeiros et al. 2005).
CASC involved in space system and long-range strategic ballistic missiles. In 2009,
CASC combined with China Satellite Communications Corporation (China Satcom),
extended the company into telecommunications satellites. For instance, deep space
exploration such as Chang’e 1 & 2, satellites such as Ocean satellites, meteorological
satellites, etc. In the defence system perspective, the product includes vehicle air
defence, precision guided bombs, ship-to-air missile, etc. (Stokes 1999). CASC
controls over 125 corporations, academies include China Academy of Aerospace
Aerodynamics, China Academy of Space Technology etc. In addition, it includes
some specialised companies such as China Aerospace Times Electronics Corporation,
China Aerospace Engineering Consultation Centre (NTI 2011a).
CASIC is a company with 100 billion Yuan registered capital, it owned and funded by
state government. It contains five research institutes, two research and production
bases, more than 580 enterprises and institutions, more than 127000 employees
(CASIC 2012). The missile development, aerospace electronics and aerospace
10
equipment is the coverage of the CASIC (JIP 2011). The company majority work and
product is related with defence work such as short and medium range ballistic
missiles, cruise missiles. It is different from CASC which focuses on long range
missiles and satellites. CASIC engaged in civilian products as well, such as computer
application, satellites application, medical equipment, chemicals, etc. Academies
include China Changfeng Mechanics and Electronics Technology Academy, China
Haiying Electro-Mechanical Technology Academy, etc. Subordinate enterprises such
as CASIC Defense Technology Institute, Hunan Aerospace Industry Corporation, etc.
(NTI 2011b)
1.4 Field of thesis
Information security risk framework
1.5 Research question
Data is the most valuable resource in an organisation and company that has designed
some suitable methods to protect the system and the information. Risk management
framework usually implements in the organisation and the framework is built from the
national standard, such as the NIST and ISO 31000. Aerospace industry often
contains sensible information, which should protect the information with an
acceptable level inside the company.
During this research, it will examine two questions:
a. What are the (cyber) threat landscape and the emerging trends and challenges that
would have an impact on the China Aerospace Systems Engineering Corporation
(Case Study Company)?
b. What are the limitations of existing information security risk management
frameworks and/or how can existing frameworks be adapted in the Case Study
Company?
The question will be answered by interview with senior manager in the case study
company and experienced employees who conduct the information risk management
work in the company. The answer will be gathered and analysed with government
statistical reports and academic articles, to evaluate the current situation of cyber
11
threat and the performance and limitation of existing framework used in the company
currently.
In addition, this research will review the different standards in the current industry
and analyse the advantages and disadvantages of those frameworks. After the
interview in the case study company, their current framework will be analysed. If the
framework contains limitation or some improvements, the following work integrate
with advantages from reviewed standard, thereby; the framework could become more
suitable and useable in the company.
12
2 Literature review
Risk management framework has been widely utilised by large numbers of
organisation which covered many industry areas worldwide. This literature review
will go through three national risk management frameworks, which is NIST SP800-30
(National institute of Standard and Technology) (Stoneburner & Goguen 2002), ISO
31000 (International Organisation for Standardisation) and ENISA (European
Network and Information Security Agency) (Australia 2009 & European 2006).
2.1 Standards
2.1.1 NIST Information Risk Management Framework
NIST (National institute of Standard and Technology) document first provides the
basic information of risk management in organisation and the importance when risk
management process is used in the organisation. According to the NIST, the risk
management could allow IT managers use protective measurements to protect the IT
system and data, which support the task requirements, while balance the operational
and economic cost to achieve the goals. The NIST risk management process includes
three parts: risk assessment, risk mitigation and evaluation ((Stoneburner & Goguen
2002).
2.1.1.1 Risk assessment
Risk assessment is the first phase in NIST risk management process. It includes nine
major steps: system characterization, threat identification, vulnerability identification,
control analysis, likelihood determination, impact analysis, and risk determination,
control recommendations, results documentation. The following sessions will give
brief introduction of NIST risk assessment nine steps.
13
1. System Characterisation
The first step to integrate risk management is to define the current system scope, such
as the system information and resource used by current system. The system related
information could include hardware, software, system interface, data and information,
etc. In addition, the operational environments of the system such as functional
requirements of the IT system, system user information and system security
architecture also could be included when collect the system information. The
methodology for information gathering could use questionnaire, online interviews,
document review and scanning tool. Those methods could provide comprehensive
information for the IT system.
2. Threat identification
The weaknesses could bring the damage to the system when they are accidentally
triggered or intentionally exploited. The threat-sources have been indicated in this
section: natural threats, human threats and environment threat. It is important to notice
the threat-source in different situations and the potential damage could bring to the
system. In addition, the motivation and the threat action could be consisted when
processing threat identification. For instance, it could combine the threat-source,
motivation and threat action. Take hacker as an example, the motivation could be
defined like challenge, ego and rebellion; the threat actions could include hacking,
system intrusion, unauthorized system access. The similar list could be designed in
threat identification phase; it can help the IT manager to be more familiar with
different threats and types of attackers involved in the attack phase.
3. Vulnerability identification
The weaknesses in the system design and implementation phase could trigger the
system collapse; and security breach could be defined as the vulnerability of the
system. The NIST suggests the methods to define the vulnerability which are
constituted with vulnerability sources, system security testing, and the development of
a security requirements checklist.
In order to analyse vulnerability sources, the information-gathering techniques which
are introduced in system characterisation section can be applied. The following
material is suggested by NIST when define the vulnerability source: IT system risk
assessment documentation, IT security audit report, and system software security
14
analyses, etc. The information from those materials is valuable when design the
vulnerability sources. System security testing could involve the automated
vulnerability-scanning tool, security test and evaluation and penetration testing.
4. Control analysis
Control analysis is to determine whether the current methods and implementations
could decrease or eliminate the likelihood of system vulnerability. The control method
could be categorised into technical and non-technical parts. The hardware and
software integrated within the system to protect the system, encryption method and
firewall, are the examples of the technical methods for protecting the system. The
methods such as security policies, personnel, physical and environmental security are
some types of non-technical methods. The combination of both types could bring the
effective solution for the company to prevent the system. In addition, the preventive
and detective controls are the subcategories of the control methods.
5. Likelihood determination
Threat-source, nature of the vulnerability and current control effectiveness could be
considered when define the likelihood of a potential vulnerability. A likelihood rating
(High, Medium, and Low) should be designed in this stage.
6. Impact analysis
Impact analysis should consider the system mission, system, data criticality and
sensitivity, constitution of three documentation should help analyst be more accuracy
when process the impact analysis. System mission, critical and sensitive assets of
organisation could be referred when analysis the impact of the system. In addition, the
three security goals: integrity, availability and confidentiality are the major impact of
a system, therefore, the system availability, data confidentiality and integrity should
be considered when make the impact analysis.
7. Risk determination
For determine the risk, NIST suggests the using of risk-level matrix and risk scale.
The risk-level matrix contains both risk impact scale and threat likelihood. 3*3, 4*4,
5*5 matrixes is most useable type and it could be used when used for most
organisations. Take 3*3 as an example, the likelihood (High, Medium, and Low)
15
could use 1, 0.5 and 0.1 for different possibility, and impact level could use 100, 50,
and 10 for different scales. Overall, 50-100 is high risk, 10-50 defined as medium risk
and 1-10 is low risk. After the risk matrix, the risk scale and action should be design
for different risk level to prevent the system.
8. Control recommendation
During the recommendation phase, the control method should be introduced to fit the
requirement which reduce and eliminate the risk of the system. Through the process,
the effectiveness of recommended option, legislation and regulation, organisational
policy, operational impact and safety and reliability should be considered when make
the suggestion.
9. Results documentation
The last phase of risk assessment is documenting the results of the process. NIST
advises the report should be designed through a systematic and analytical way for the
best understanding when senior manager proceeding activities to implement the
control method.
2.1.1.2 Risk mitigation
After the risk assessment, the risk mitigation is the second step of the NIST risk
management process. It involves six steps:
1. Risk mitigation option
The risk mitigation option could help manager decide which strategy is suitable for
the company, the following option is the suggestion of NIST which could help the
decision maker make the appreciate choices for the corporation. According to NIST,
risk assumption, risk avoidance, risk limitation, risk planning, research and
acknowledgment and risk transference is the main option for company to design the
risk mitigate plan.
2. Risk mitigation strategy
Risk mitigation strategy should be awarded by senior manager to decide suitable
method to implement different protection actions. According to the NIST, there are
four points could involve the protection plan to prevent the system. The existing of
16
system vulnerability is the first point if there contains the system risk, for reduce the
vulnerability. The manager could implement suitable technical method to decrease the
likelihood of risk explosion of the system. Secondly, if the vulnerability of the system
could be attacked by malicious person, it should involve the layered protection;
improve the system architectural to reduce the risk. Thirdly, increase the cost could
decrease the attacker’s motivation, therefore, it could reduce the risk by improve the
cost of attack, such as using protection software, access control, etc. Finally, the
losing of risk is the signal to prevent the system, the methods are similar with second
step, using technical and non-technical to reduce the risk of the system to protect the
property.
3. Approach for control implementation
Before the risk control method implementation, NIST suggests a process to decide
which risk control method is suitable and reasonable for the system. The process
involve seven steps, the process will be demonstrated by using a table in the second
part of literature review.
4. Control categories
To maximum the effectiveness of different control methods, the control categories
should be built for the organisation to determine the appropriate control for
implementation. The various control categories include technical, management and
operational security control method. Different control methods take the various roles
to solve the problem in the company. Using of technical to prevent the issue with
related with network, database, hardware, firewall, etc. Management control focus on
policy, goal, procedure, etc. Operational control could include industry practices,
emergency power source, physical security control, etc.
5. Cost-benefit analysis
After the analysis of all possible control method, it should conduct a cost-benefit
analysis to determine the most suitable control for the organisation. To maintain the
risk at an acceptance level, the senior manager should evaluate the cost-effectiveness
by examine the implementing effect, non-implementing effect, implementing cost,
and the cost differences between the implementing cost and system resource value.
The suitable and cost effectiveness control method could be implemented for the
17
company, however, the less expensive control; more suitable control method should
be notice for the company to optimize the control system.
6. Residual risk
The risk exist after the implementation of the new control or enhanced control method
could be categorized into residual, the organisation should define acceptance level for
residual risk and repeat the risk management cycle to search the suitable control
method depends on the acceptance evaluation.
2.1.1.3 Evaluation and Assessment
The last step of NIST risk management process is evaluation and assessment. The
system which implemented by most organisation should be modified and improved
for against new potential risk. In addition, the personnel changes could lead the
modification of security policy and related operational policy, etc. Therefore, the on-
going evaluate and assessment will conduct the organisation improve the risk
management process, investigate new security control method, bring more security
environment for the company.
Some key for success: senior management commitment, IT team support, risk
assessment team competence, the cooperation and awareness of users, and continuity
risk evaluate and assessment.
2.1.2 ISO 31000
Compare with the NIST risk management framework, ISO 31000 provide a different
and simpler approach to management and design the risk framework. This framework
has been widely used by Australia and New Zealand organisation and government
agency. The following chapter will brief introduce the structure of the framework
(Svetoslav & Gaidow 2005, Queensland 2001).
The overall framework has been separated into five components: mandate and
commitment (discussion in 2.2.4), design of framework for managing risk (discussion
in 2.2.4), implementing risk management, monitoring and review of the framework,
and continual improving of the framework (Australia 2009).
18
2.1.2.1 Risk assessment
Risk assessment is the second step of implementation phase. (First part is
communication process, discussion in 2.2.4). It divides into three aspects: risk
identification, risk analysis and risk evaluation.
Risk Identification
In order to achieve the organisation mission and objective, prevent the unexpected
incidents. The risk identification should define from the foundation of each source,
bring comprehensive list for every possible risk which could occur during the
organisation process. For instance, it contains the impact of the risk, the potential
source of the risk, the consequence of the risk. The identification tool and method is
suggested by this standard, in addition, the person who contains with appropriate skill
should be considered in the risk identification phase.
Risk analysis
Risk analysis should consider the risk from various aspects, from the likelihood of the
risk, the consequence of the risk, the multiple consequence of a risk event, etc. For the
suitable identification, the level of risk should build in this step, and the
communication with shareholder should be established in order to gain the
appropriate results and meet the anticipation of the decision maker. Depends on the
situation, the analysis could processed by qualitative, semi-quantitative or quantitative
method. In addition, the detail of the analysis could be various depend on the risk
degree, the analysis purpose, risk information, and organize action data and resource.
The results from risk analysis should provide the input for risk evaluation and risk
treatment.
Risk evaluation
Risk evaluation should provide the assistance for choosing risk treatment method. It
should involve the contribution of risk analysis; compare the risk level, organisation
risk attitude and tolerance, etc.
Risk treatment
The process designed to select and implement the control option
19
The risk treatment process: assessment of treatment, tolerable of residual risk, new
risk treatment for not tolerable risk, the evaluation of new method. The select of risk
treatment should include shareholders opinion and consider the cost-benefit analysis.
In addition, consider the results from risk evaluation to implement the treatment. For
preparing the implementation, the treatment plan should be generated. It could include:
the reason for selection, the responsibility of the risk treatment, proposed action,
required resource, measuring of performance, time and schedule, etc. The residual
risk should be reviewed, monitored and analysed in the process in order to search
suitable treatment in the future.
2.1.2.2 Monitor and review
Monitor and record the process should be taken for continuous learning and
improvement of the risk assessment, evaluate the effectiveness and efficiency of risk
treatment, internal and external changes detection, etc. The report should be recorded
appropriately, consider the following points when record: cost and effort of recording,
method of record, information sensitive consideration, etc.
2.1.2.3 Monitoring and continual improvement of the framework
Through the monitor of different components such as performance of management
process, effectiveness of framework, policy and plan in order to improve the current
framework, design more suitable and appropriate framework for organisation.
2.1.3 ENISA
ENISA proposed a document to demonstrate the risk management framework
implementation principle. The framework consist five aspects: the corporate risk
management strategy, risk assessment, risk treatment, and monitor and review
(European 2006).
2.1.3.1 Corporate risk management strategy
Corporate risk management strategy in ENISA is a comprehensive business process
which could be documented before risk assessment phase. It includes the management
process, the action plan need to be followed during the designing process, the security
policy, etc. For a comprehensive understanding of the system and organisation
properties, the communication between internal and external source is importance and
necessary. In addition, the communication and consulting and will be helpful when
cooperate with other organisations. To define the scope of management framework, it
20
should contain and analysis the essential information such as the internal environment
(software, hardware, interest of stakeholder, organisation culture, etc.), external
environment (local market situation, social environment, external stakeholder, etc.),
risk management context (the scope of risk management, responsibility table, the
organisation property, the goals of the management, etc.) and risk criteria to define
whether the risk should be treated or accepted.
2.1.3.2 Risk assessment
Risk assessment is a process could help organisation and decision maker to have a
better understanding for the defined risk. Through the identification, analysis and
evaluation, the vulnerability, effect of the risk should be clearer after this process.
To define risk in an organisation, the comprehensive risk list which could occurred in
each process should be identified in the first place, such as the source of the risk, the
activities of the risk, the consequence which risk could bring into the company, etc.
For define those risk, some methodologies could be used in organisation. For instance,
team brainstorming, break thinking, judgment based recommendation, system design
analysis, etc.
2.1.3.3 Risk analysis and evaluation
Risk analysis should design to assess the risk from various aspects, such as the
likelihood of the risk, the consequence after risk trigged, current control method
which could mitigate the risk, etc. The method could contain qualitative, semi-
quantitative and quantitative analysis. Comprehensive analysis could bring clear
instruction for next step – risk evaluation.
Risk evaluation should assess the risk by using risk criteria to decide the risk level and
risk treatment level for the risk. It should involve the organisation process,
stakeholder concern and expertise decision.
2.1.3.4 Risk treatment
Risk treatment process should bring the process of choosing and implementation
control method.
Identification the option: not all risk could bring negative consequence; some risks
could take advantage for the organisation. For different risk types, the treatment
option should be define to increase the positive impact and reduce the negative effect
for company. In addition, the cost-benefit analysis could be considered in this process
to prepare the further decision.
21
The development, approval and the implementation of the action plan should be a
sequence phase for risk treatment. The generation of the document should provide the
basic information for implement the control method, such as the time for implement,
required resource, responsibility for each risk, etc. Approval of the action plan should
involve the expertise, top manager and relative personnel, in addition, the process
should continually improve for better performance. During the implementation phase,
the senior manager of the organisation should be involved in the process and provide
support, sponsor for the action. Moreover, risk management policy should be
documented by organisation to lead the process, it could contain objective for
managing risk, management process, risk management performance, etc. Above
activities could ensure the awareness and effectiveness of implementation phase.
Residual risk should be identified and review throughout the risk management process
to ensure the appropriate management during the organisation activities.
2.1.3.5 Monitor and review
Contiguously monitor and review could help the organisation risk management
framework become more effectiveness and accuracy in the future. With the fast
changing business environment, the risk could become various as well. The renewal
of the framework could be more adequate and suitable for the organisation. The
valuable information which saved by organisation could improve the governance and
management in the future.
22
2.2 literature gap
NIST ISO 31000 ENISA
First phase Mandate and
commitment
Corporate risk
management strategy
Design of framework
for managing risk
Second phase Risk assessment Implementing risk
management
Risk assessment
Risk treatment Risk mitigation
Risk acceptance
(optional)
Third phase Evaluation and
assessment
Monitoring and review
of the framework
Monitoring and review
Continual improvement
of the framework
Table 1 Terminology and risk management phase
In the first phase of the table, ISO 31000 focuses on the effectiveness risk
management process. Such as accountability and responsibility, designing of risk
management policy, resource providing, communication process, etc. ENISA also
focus on the internal and external context of the company and risk criteria. In regard
to the second phase of table, the objective of three frameworks is to assess the risk,
design the implement mitigation plan. Although three framework use the different
terminologies to define the each process; however, the main propose is the same. The
last phase is to evaluate and improve the whole process and three frameworks indicate
the importance of continuous improvement and review in the risk management.
2.2.1 Risk assessment
All of the three risk management frameworks mention the risk assessment process in
the risk management structure. NIST has introduced a more comprehensive process
which contains risk identification, risk analysis and risk evaluation for the assessment
phase. ISO 31000 has covered three basic parts; however, the content is more general
than NIST process. ENISA has the same interpretation with ISO 31000. In regard
with the context establish method, ISO 31000 gives more detailed information and
process for the user, it has better explained than other two frameworks.
23
2.2.1.1 Context Establishing
There frameworks has included context establish as the first process in risk
assessment. In this process, ISO 31000 and ENISA demonstrate a detail process for
user, which includes the external context such as social and culture, political,
economic, natural environment, etc. The internal context: organisation structure, the
relationship with internal shareholder, corporation standard, the culture of
organisation, etc. The framework also considered the various aspects from stakeholder
which is important during the establishing phase (Australia 2009 & European 2006).
On the other hand, NIST provide a system characterization process in the risk
assessment phase which more concentrate in system perspective (European 2006), it
consist of hardware, software, system interface, data and information, etc. In addition,
NIST points out the operational environment of the system such as functional
requirements of the IT system, system user information, system security architecture
is could be collected as well (Stoneburner & Goguen 2002). Moreover, ENISA and
NIST mentions the collection methodology such as team brainstorming, questionnaire,
online interviews, document review, etc. (Stoneburner & Goguen 2002, European
2006) which could be used by organisation
2.2.1.2 Risk identification
As the second step in risk assessment, risk identification plays an important role to
ensure following process successful (Linjie 2011). It should determine the risk which
has potential effect on project, accuracy need to provide during the process (Barati &
Mohammadi 2008). Organisation environment, business process should be input into
the process for identify and it could use different methods to approach such as
interviewing, team-based brainstorming, assumptions analysis, etc. (Linjie 2011,
Barati & Mohammadi 2008). Risk identification which proposed by NIST and ENISA
is more detail, NIST covers threat identification and vulnerability identification
(Stoneburner & Goguen 2002), NIST suggest the threat source could include natural
threats, human threats and environment threat and It is important to notice the threat-
source in different situations and the potential damage could bring to the system
(Stoneburner & Goguen 2002). Moreover, the motivation and threat action should be
considered when process the threat identification. It could help the IT manager be
more familiar with different threat type and the person type involve in the attack
phase (Stoneburner & Goguen 2002). The weakness in the system design,
24
implementation phase, which could trigger the system collapse; security breach could
be defines as the vulnerability of the system. The NIST suggests the method to define
the vulnerability could combine vulnerability sources, system security testing, and the
development of a security requirements checklist (Stoneburner & Goguen 2002).
Compare with NIST approach, ENISA framework lists the related characterizations
such as the origin, consequences, results, impact, and reason for happen, time and
place, etc. (European 2006). However ISO 31000 framework describes the
identifications through a high level method, just introduce few aspects should be
cautious when processing the risk identification. For instance, it should include
impact of the risk, potential source of the risk, and consequence of the risk. In
addition, ENISA introduce the method and tool which related with identification
methodology, such as team-based brainstorming, flow charting, system design review,
etc. (European 2006). It could help the organisation be clearer during the process.
2.2.1.3 Risk analysis
Risk analysis should identify and assess the risk which could influence the
organisation task and it should provide essential information for risk control selection
and evaluation (Jung-Ho et al. 2010). It should provide the information for
organisation to build the risk control and acceptable level (Jung-Ho et al. 2010 &
Syalim et al. 2009). Control analysis could be integrated for analyse current control
and provide useful reference for risk analysis (Stoneburner & Goguen 2002, Syalim et
al. 2009). In regard to the risk analysis method of three frameworks, likelihood and
impact determination is indicated in the article (Stoneburner & Goguen 2002,
Australia 2009, European 2006). In this case, NIST gives a detail and well explained
context to introduce the analysis process. It suggests threat-source, nature of the
vulnerability and current control effectiveness could be considered when define the
likelihood of a potential vulnerability. In addition, likelihood rating (High, Medium,
and Low) should be designed in likelihood determination stage (Stoneburner &
Goguen 2002). Impact analysis should consider the system mission, data criticality
and sensitivity, constitution of three documentation should help analyst be more
accuracy when process the impact analysis. In addition, as three security goals, the
system availability, data confidentiality and integrity should be considered when
make the impact analysis as well (Stoneburner & Goguen 2002).
25
Beside the comprehensive introduction related with likelihood and impact analysis,
three standards suggest few methods which could be used when process the analysis:
multi-disciplinary groups of experts, structured interviews, qualitative, semi-
quantitative and quantitative analysis (Stoneburner & Goguen 2002, Australia 2009,
European 2006). Moreover, past record, risk degree, the analysis purpose, risk
information, and organize action data and resource, expert advice, etc. could adjust
the detail and type of analysis (Stoneburner & Goguen 2002, Australia 2009,
European 2006).
In risk analysis process, three standards indicate the importance of current control
evaluation part which is to determine the current method and implementation whether
could decrease or eliminate the likelihood of possibility of system vulnerability
(Stoneburner & Goguen 2002, Australia 2009, European 2006). NIST define the
control method could be categories into technical (hardware, software integrated
within the system to protect the system, encryption method, firewall, etc.) and non-
technical (security policies, personnel, physical and environmental security)
(Stoneburner & Goguen 2002).
2.2.1.4 Risk evaluation
To help building of risk mitigation plan, risk evaluation process should identify,
analyse, and develop a logical suggestion to provide important information (Sadiq, et
al. 2010). Risk matrix could be involved in this process for clear interpretation (Xue et
al. 2011). It should finalise the risk assessment process and determine the risk level,
risk prioritisation and risk categorisation (Sadiq, et al. 2010). In the risk evaluation
phase, both ISO 31000 and ENISA define gives a brief introduction for the process;
however, two framework has not points out the method or tool which could be used in
this process. The ISO 31000 indicates the evaluation phases should involve the
contribution of risk analysis; compare the risk level, organisation risk attitude and
tolerance, etc. (Australia 2009). Risk criteria could be used in risk evaluation process
to define risk treatment and risk level which suggest by ENISA and ISO 31000
(Australia 2009 & European 2006).
26
Compare with other standards, NIST suggests the process more detailed and contains
three parts for finalize it. It constitute with risk determination, control
recommendation and result documentation. For determine the risk, NIST suggests the
using of risk-level matrix and risk scale. The risk-level matrix contains both risk
impact scale and threat likelihood. Impact level (low, medium, high), likelihood (low,
medium, high) is most useable type and it could be used when used for most
organisation (Stoneburner & Goguen 2002). During the recommendation phase, the
control method should be introduced to fit the requirement which reduce and
eliminate the risk of the system. Through the process, the effectiveness of
recommended option, legislation and regulation, organisational policy, operational
impact and safety and reliability should be considered when make the suggestion
(Stoneburner & Goguen 2002). Results documentation should be designed through a
systematic and analytical way for the best understanding when senior manager
proceeding activities to implement the control method (Stoneburner & Goguen 2002).
Impact
Likelihood Low Medium High
Low
Medium
High
Table 2 Risk matrix example
2.2.2 Risk treatment
NIST names risk mitigation process instead of risk treatment; however, the function is
same as other frameworks. Therefore, “risk treatment process” will be used in this
session for correspondence and easy understanding.
Risk treatment process provides a group of countermeasure to decrease the downtime
and cost when risk happen in organisation and it could be either technical or
organisational (Zambon, et al. 2007). Three standards propose the risk treatment
process should start with identifying treatment option; however, AS/NZS 4360 (the
predecessor of ISO 31000) and ENISA both indicate the outcome could be separate
into positive and negative outcomes (European 2006 & Australia 2004). For gain
positive outcomes, the options should increase the positive risk likelihood and
27
manipulate the possible consequence, retaining the residual risk for the benefit of the
organisation (European 2006 & Australia 2004). In the other hand, it should reduce
the risk likelihood; reduce the negative influence of business process, and minimum
the consequence of the organisation (European 2006 & Australia 2004).
NIST has not points out the double side consequence for the risk, but gives the
suggestion for treatment option: risk assumption, risk avoidance, risk limitation, risk
planning, research and acknowledgment and risk transference (Stoneburner & Goguen
2002).
All three standards suggested that cost benefit analysis and NIST advice the process
could include examine the implementing effect, non-implementing effect,
implementing cost, and the cost differences between the implementing cost and
system resource value (Stoneburner & Goguen 2002). The suitable and cost
effectiveness control method could be implemented for the company (Australia 2009
& European 2006).
The description of action plan which proposed by ISO 31000 and ENISA is less
complicate, it involve the suggestion component for action plan. For instance,
proposed action, responsibility, time, performance measures, etc. (Australia 2009 &
European 2006). Moreover, the process should be approval and review by expertise,
top manager and relative personnel. The process should continually improve for better
performance (European 2006).
Compare with other standards, NIST suggest a complex and comprehensive process
to design the treatment plan. It includes a seven steps implementation process to
decide which risk control method is suitable and reasonable for the system
(Stoneburner & Goguen 2002).
Step1: prioritise action Prioritise the risk from high to low and list
the risk for implementation process.
Step2: evaluate recommended control
options
Evaluate the suitable risk control for the
system, using criteria such as the
compatibility, user friendly, etc.
Step3: conduct cost-benefit analysis Determine the cost-effectiveness of
28
different risk methods and the benefit of
implementation
Step4: select control Based on the cost-benefit analysis, select
control method for system
Step5: assign responsibility Assign control task and responsibility to
suitable person
Step6: safeguard implementation plan Conclude the previous research result and
document the result through formal
formatting
Step7: implement selected control Control implementation
Table 3 Approach for control implementation (Stoneburner & Goguen 2002)
NIST also introduce a control categorise system to maximum the effectiveness of
different control methods. Control categories should be built for the organisation to
determine the appropriate control for implementation by select the suitable control
method use trade-off analysis which compare the performance and cost. The various
control categories include technical, management and operational security control
method (Stoneburner & Goguen 2002).
Technical control could prevent the system and reduce the risk through the
management of system architecture, engineering discipline, and the combination of
hardware, software and firmware.
Support
Cryptographic Key Management, Security
Administration, Identification, System
Protection
Prevent
Authentication, Authorization, Access
Control Enforcement, Nonrepudiation,
Protected Communications, Transaction
Privacy
Detect and Recover
Audit, Intrusion Detection and Containment,
Proof of wholeness, Restore Secure State,
Virus Detection and Eradication
Table 4 Technical control category (Stoneburner & Goguen 2002)
Management control most focus on the organisation policy, operation guidelines and
standard, go through the operational process and help the organisation goals and
missions.
29
Prevention Security responsibility assignment, system
security plan, personnel security control,
training for employee
Detection Risk management, access control IT
system, periodic system review and audit,
etc.
Recovery Incident response plan and business
continuity plan
Table 5 Management control category (Stoneburner & Goguen 2002)
The implementation of operational security control will combine the different aspects
such as technical control, good industry practices. The purpose is to mitigate the
operational deficiencies which exploited by threat-sources.
Prevention Software viruses controlling, backup
capability, property protection, emergency
power source, computing equipment
environment control, etc.
Detection Physical security control (surveillance,
alarm, etc.), environment security.
Table 6 Operational control category (Stoneburner & Goguen 2002)
In the end of the treatment process, all three frameworks give the definition for
residual risk. ISO 31000 and ENISA suggest the residual risk should be reviewed,
monitored and analysed throughout the risk management process to ensure the
appropriate management during the organisation activities (Australia 2009 &
European 2006). In the other hand, NIST indicate the organisation should define
acceptance level for residual risk and repeat the risk management cycle to search the
suitable control method depends on the acceptance evaluation (Stoneburner &
Goguen 2002).
2.2.3 Monitoring and Improvement
Contiguously monitor and review could help the organisation risk management
framework become more effectiveness and accuracy in the future (European 2006).
The system which implemented by most organisation will be changed and improved
by IT team and senior manager frequently for conquer the newer potential risk
30
(Stoneburner & Goguen 2002). In addition, ISO 31000 suggest the monitoring and
reviewing report should be recorded appropriately, consider the following points
when record: cost and effort of recording, method of record, information sensitive
consideration (Australia 2009). In this case, NIST list successful key for this process:
senior management commitment, IT team support, risk assessment team competence,
the cooperation and awareness of users, and continuity risk evaluate and assessment
(Stoneburner & Goguen 2002).
2.2.4 Differential of three frameworks
Three risk processes listed above are all included in each framework. The differences
contains in the process have been analysed and concluded in the previous section. In
this section, it will concentrate in some materials which not introduced in all three
frameworks, such as mandate and commitment session in ISO 31000 and
communication process in both ISO 31000 and ENISA. In addition, other articles also
indicate the importance of those processes (Khidzir et al. 2010).
2.2.4.1 Communication process
Both ISO 31000 and ENISA suggest that the communication process could bring
positive effect on comprehensive understanding of the system and organisation
properties (Australia 2009 & European 2006). In addition, the communication
between internal and external source is importance and necessary (European 2006).
The example could include several fields, such as the context establishing, understand
and considering the stakeholder requirement and interest (what risk management
process they want to approach and how to maximum reduce the profit losing when
incident happen), the involvement with different areas expertise, communication plan
for future contact, etc. (Australia 2009 & European 2006). ISO 31000 indicates the
object of shareholder could significant impact the decision-making, and eventually
affects the management framework (Australia 2009). Therefore, communication
process could bring superiority into whole framework.
2.2.4.2 Mandate and commitment
This section has been designed to provide the effectiveness of the risk management in
the organisation. ISO 31000 claims that commitment should be built strongly and
sustainable which cover the process in different levels in the organisation (Australia
2009). For instance, the risk management policy, the suitability between organisation
31
culture and risk management policy, the suitability of accountability and
responsibility assignment in the different company levels, provide the appropriate
resource for risk management, etc.
2.2.4.3 Design of the framework for managing risk
Organisation and context understanding
When design the framework, context should be established in the early stage.
According to the standard, external, internal context and risk management process
context should be built in this phase (Australia 2009). Some examples are included in
the list below:
The external context:
Social and culture
Political
Economic
Natural environment
Etc.
The internal context:
Organisation structure
The relationship with internal shareholder,
Corporation standard,
The culture of organisation,
Etc.
The initialisation for context establishing should be fully considered and integrated
with various aspects from stakeholder, non-successful definition could impact the
organisation throughout the whole risk management which could bring significant lost
for companies. In addition, the ongoing process of improvement for context
establishing could help the management process become more appropriate and
suitable for organisation (Australia 2009).
Establishing risk management policy
The policy could provide the regulation of the operation ad ensure the management
process has been design and effectiveness. It could contains risk management
rationale, link between organisation objective and policy and the risk management
policy, risk management accountability and responsibility, assignment of the suitable
32
resource, reporting, improving and managing the management performance (Australia
2009).
Accountability
To ensure the effectiveness, accuracy and adequacy of risk management, there should
contain accountability in the process. For instance, it could contain assignment of risk
responsibility, performance report, etc. (Australia 2009). Lack of responsibility
control method and awareness has become another vulnerability factor which cause
risk happen in organisation (Khidzir et al. 2010). Integration into organisation process
could make the risk management suitable for the organisation and provide more
effective and adequate result s for risk management. The integration with organisation
policy, development plan or business strategic plan, that integration could improve the
effectiveness of the risk management in the organisation (Australia 2009). Resource is
another essential part of the management process. Without the resource, the
management could not be done appropriate. The common resources include human,
organisation process, information management system, training programmes, etc.
(Australia 2009 & Murtaza 2011).
Internal and external communication and reporting method
The management process should establish the communication mechanism for internal
and external stakeholder. It could improve the information exchange between
different level of the organisation and the effectiveness of risk management process
(Australia 2009 & Lin et al. 2005).
33
3 Case study
3.1 Overview of case study company
China Aerospace System Engineering Corporation is a National A Level State-owned
Enterprise approved by State Council, invested by China Aerospace and Industry
Corporation and granted by State Administration for Industry and Commerce
(CASEC 2012).
The company founded more than a decade; it has developed a company that
integrated with strategic research, innovation and investment, information engineering,
energy conservation, the art system and international trade. The company has
completed a group of national research project such as the strategic studies of
scientific development of defence technology industry, National Defence Science and
Technology resource information platform, integrated power-efficient control
equipment, the crucial project of energy saving and emission reduction, etc. In
addition, the company supported by the National Torch Plan, "863" Project, the
defence industry and technology promotion program, and the company technological
innovation programs (CASEC 2012).
The China Aerospace System Engineering Corporation built the strategy cooperative
relationship with a number of famous enterprises, universities and institutions such as
European Space Agency, Technology Foundation Berlin, the National Energy
Conservation Association, University of Texas, Tsinghua University, Wan Fang data,
etc. (CASEC 2012).
34
3.2 Overview of threat landscape
The cyber threat has been increased with the development of network technology, the
growing Internet user and the malicious activity. More and more report shows the
cyber threat has influenced the people through kinds of perspective. For instance, it
includes the phishing website, malware installation in the computer, distance control,
information stealing, malicious monitoring, Trojan, etc. The examples shows above
are also the challenge faced by case study company.
According to Internet Security Company in China, mobile network user has increased
rapidly. PC Internet user has shifted to mobile terminal in first half year in 2012. Due
to this reason, Trojans contained website has decreased, phishing website has become
new trend threat which related with network security issue. Moreover, APT attacking
is more point at Hi-tech Company to steal sensitive information and become the major
attacking point by hacker.
The problem which related with Internet personal information leaking is growing fast
recently. According to the research, 55.8% surveyor indicates that is becoming hard to
protect the personal information in the Internet. 29.3% asserts that the information has
been leaked and exposure in the public place. Virus, software illegal information
gathering, phishing website, etc. is the most detected methods to steal the information.
The private information is sold by related organisation, hacker, and it used for
malicious activity such as spam email, SMS, faking, etc.
Network cheating is the major issue which faced by Internet user. Firstly, the number
of faking website has been increased in recent years. There are 300,000 faking
website in 2010, however, more than 500,000 website has been detected in the
Internet. In this case, finishing website is the main security threat which encounter by
users. Secondly, the field of cheating website has become wider and wider, the
traditional cheating activities are influence within lottery information, stock industry,
online shopping. However, airplane ticket, fake internship, medicine selling,
educational, etc. are the new trends of swindle areas. In addition, the area will change
with different times and social environment, such as holiday, university opening, etc.
In regards to diversified spread method, it more focus on the BBS, email, blog, social
35
networking website, SMS, etc. rather than out-dated instant message software such as
QQ, MSN. Finally, the server which related with malicious attack has been deployed
in overseas, 85.69% are detected out of China and 70% domain name is registered in
offshore. The consequence is hard to reach physically and hard to be controlled and
destroyed.
Phishing website which camouflage as shopping website is another method of cyber
threat. Fake website such as airplane ticket and travelling will increase when approach
to the holiday. According to the statistic, there is more than thousands of phishing
website which related with online shopping, ticket, travelling around the holiday
period. The attacker will post website link on the BBS, blog, Weibo, etc. social
networking website with lower price to attract the customer visit the fake website and
steal the banking information and related resource. Moreover, Trojans and virus will
be linked inside the website by hacker and steal the information, this activity are
usually happened in the ticketing and e-commerce website.
Mobile device attacking is increasingly popular in more developed areas, such as
Beijing, Shanghai and Shenzhen. Mobile virus has become the major attack method
and the technology behind this method and harmfulness are become more severe. The
financial loss of customers is enormous with mobile threat. The virus could customise
the malicious code with user time, location, SIM card operator to aim the different
person in different places. Sophisticated virus could delete the billing information
after deduct, even Internet browsing history. Moreover, apart from financial losing,
personal information leaking is another problem in this case. Virus could be
customised to steal the email account, mobile banking account, etc. The limitation of
anti-virus software in the mobile phone and lack of awareness of user is the main
reason of attacking. Every employee in the case study company has mobile device,
includes mobile phone, tablet, etc. This new technical attacking method could bring
potential lost to the company if employee not put enough attention on it.
Trojan.milicenso is another Trojans which has been detected recently, it created
massive printing job to the printer until the paper runs out or machine force shutdown.
One computer in the case study company has been affected. In addition, it could
download malicious file from remote server and affect the targeted computer.
36
Advanced Persistent Threat (APT) attacking has become the emerge trends in the
company which aiming the enterprise level. APT target with organisation sensitive
information, according to the research, 21.6% network security incident is related
with APT attacking. For instance, Google Aurora and Stuxnet attacking brings
extreme damage to the company. Some distinguish feature of APT attacking:
The duration of attacking time is relatively longer than other types of attacking. The
hacker will scan, track and attack the target with long time to gain the potential
damage.
The target is more specific, area such as war industry, energy, financial, military
affairs, government organisation, etc. which related with national economy and
people’s livelihood. Permeability of attack is stronger than normal threat, attacker will
use social engineering to infiltrate targeted company employee, seek for potential
vulnerable point to gain administration permission and bring damage to the company.
The APT attacking which related with office software has increased recently.
Targeting of office file is the high priority of the attacking due to it contains large
numbers of sensitive information and user information. In the daily working
environment, email and various types of office software has more than 90% rate of
using. In addition, it is hard to check and analyse the threat possibility of email which
contain with company logo. The potential threat could fake the email to become
company survey, report form, etc. to attack employee computer and system. After
penetrated into company, it could process more specific attack to aimed person or
system. The method could include forcing download malware, data stealing, etc. Case
study company contains large number of confidential information and this attack is
the highest priority to detect and prevent.
3.3 Overview of information security measures
3.3.1 Risk management framework
Similar to the other company, China Aerospace System Engineering Corporation has
their own risk management framework which is currently using in the company to
assess and mitigate the risks. Similar with three standards reviewed in previous
section. The company framework has some similarities compared with international
37
standards. However, for more effective adaption and application related to social
environment and company situation, the framework also contains different aspects for
improve performance inside the company.
The framework, which used by case study company could be divided into two main
parts. The first part is more focus on the process, which related with risk management.
The main purpose of second part is planning of risk management implementation. In
the following session, different parts will be described in detail.
3.3.1.1 Risk management process
Within the risk management process, there are five different sections: risk
identification, risk analysis, risk treatment, control implementation, and risk
monitoring and control improvement.
3.3.1.1.1 Risk identification
The objective of risk identification is predicting the risk before the risk becomes real
security issue. The output of risk identification should include context of company,
threat, vulnerability and current security control. In addition, some scenario could be
generated in this stage to simulate the possible risk. Use the detail that predicted in the
scenario to find out the vulnerable element in this company. The overall material
could be used in the next session, which is risk analysis.
For better risk identification, suitable method need be operated in this case. For
instance, questionary is a helpful tool for gathering information from employee, it
more focus on the inside employee who has better understanding of the daily work.
Detailed thinking could help the risk management staff generate useful information,
which could perform better identification results. Apart from questionary, system
configuration checklist is another effective method to locate the risk, which related
with system itself, such as software, hardware, network equipment, data server, etc. In
addition, risk database could be built in this case for storage of current identified risk,
detailed related information for each risk. The output of risk identification process
could become useful and traceable in the future work.
38
For identify the threat, vulnerability and current security control method. The
understanding of information asset is the important thing to progress in this case.
Information assets could include system, software, hardware, employee and archived
data in the company.
Archived data include any types of information, which owned by company. It could
be level categorised, from confidential level, secret level, and important level. The
format of information could be various; it could contain digital type, printed type.
Detailed categorisation could help the risk management team have better
understanding of current situation of company and create specific security control to
protect different types of data.
System could be divided into several parts, such as information system, data system,
network system, etc. Identification of each system could help the certain expert have
detailed understanding of each system and generate high quality threat and vulnerable
analysis.
The performance of hardware and software is another important resource, which need
to be evaluated in the risk identification process. Software could contain following
example: office tool, operation system, database software, network management
software, etc. need to be analysed in this process. Hardware includes any types of
physical equipment such as computer, communication device, server, database, etc.
After the collection of information assets has been done, the threat and vulnerability
need to be analysed and documented in next step.
Threat could be categorised into four different parts and the source of threat could
intentionally and occasionally.
• Human threat could include network attack, malicious code, unauthorised
accessing, misunderstanding operation, etc.
• Non-human threats such as power failure, fire, flood, etc. could be included in
the list.
Threat could be triggered by vulnerable point. In regard to with vulnerability of
information assets, three categories could be used for examination in this case.
In includes technical, management, and operational vulnerability.
Technical part could contain system problem, program bug, unsecure coding, etc.
Management should consider company policy, employee security awareness,
company structure, etc.
39
Operational vulnerability could include misunderstanding when using the system,
employee training issue, etc.
The threat and vulnerability in the information assets need to stored and documented
for risk analysis. Specific analysis and on-going analysis is compulsory for future
improvement.
The last activity in risk identification is to analysis the current security control in the
company. The analysis need include performance analysis, cost benefit analysis, etc.
to determine the useability and suitability in the company.
3.3.1.1.2 Risk analysis
Risk need to be analysed and evaluated in conjunction with risk criteria, analysis tool,
risk database, which created in the previous session. Through the analysis of data, the
prioritised list of each risk should be generated in the eventually. For approach this
results, the likelihood and consequence of different need to be created in risk analysis
process. In addition, risk scenario could be integrated in the process to help the
evaluation as well.
To determine the likelihood of each risk, various element need to be included in the
analysis process. For instance, the attraction level of each information asset, the
potential value after asset compromised the technology behind the attacking, the
investment of certain attacking, etc. The likelihood is the combination of threat and
vulnerability analysis, establishment of threat and vulnerability level could help to
achieve the goal. Consequence after the exposure of risk also importance in analysis
phase, the financial loss of company if sensitive information lost, the recovery cost
after risk happen, the influence of company reputation in the business environment,
etc.
To determine the impact level for each risk and prioritise the risk in next step, a risk
metric should be built in this case to help the determination. Combine the likelihood
and consequence of risk, to categories the risk into several scale: low risk, medium
risk and high risk. The results of risk analysis need be reviewed by senior manager
and get permission for treatment determination and implementation.
40
3.3.1.1.3 Risk treatment
The potential outcome of risk treatment process is to determine the security control
method to improve the company security level and minimise the lost after risk
exposure.
Take the outcome from risk analysis, which is prioritised risk list, to choose the
suitable risk mitigation plan for each risk. There are several methods, which related
with risk treatment plan:
Risk avoidance: avoid the risk by transfer the information asset or disable the
connection between data server and Internet. Moreover, for time-based virus, the
company could avoid the certain time to reduce the possibility of risk exposure.
Risk transformation: transfer the risk to Third Party Company. For example, the risk
has affected the company due to the failure of hardware; the risk could be transferred
to hardware supplier to avoid risk.
Risk minimisation: process action, which could reduce the risk likelihood and
consequence. The risk could not be avoid or no specific risk treatment method to deal
with it. In this case, the likelihood and consequence should be implementing to avoid
greater losing.
Risk acceptance: this particular action is the treatment for residual risk which is
certain risk has remained after control implementation.
For different risk, it need has a category for security control method. For vulnerability
such as technical, management, and operational, the risk treatment method could also
be divided into same category.
Technical control: deal with risk by using technology method, such as system update,
anti-virus software, secure coding, etc.
Operation control: such as backup procedure, emergency power supply, personal
property protection, etc. For each control, it need build a clear instruction and
procedure to approach accepted results.
Management control: management of information assets, the policy built for protect
the information asset, auditing process, etc. Moreover, employee training, disaster
recovery plan could be included in the management control.
41
After the choosing of risk treatment plan, a cost-benefit analysis should be included in
the process to determine the potential cost of implementation cost. There are several
aspects could be considered in this process:
Purchase cost: the cost of software, hardware or service
Implementation cost: the installation fee or related maintenance cost
Continuing cost: the action related with management, monitoring and maintenance
Employee training cost: for better use of security control, training needs to be set for
employee. The cost needs to be calculated in this case.
The senior manager needs to decide the potential benefit of security control
implementation, consider implement the cost-effectiveness control method and
included in the control implementation plan. This filtering process need to be done
with expertise support or experienced personnel.
The result of risk treatment is to generate a control implementation plan for control
implementation. The plan should include the objective for different security control;
time based on-going monitoring process for successful implementation, the cost for
implementation and the responsibility table for different implementation process. To
ensure the effectiveness of security control implementation, the responsibility for each
task needs to be determined for prevention of succession. To avoid delay or
implementation failure, well-planed process is the foundation in this case.
3.3.1.1.4 Control implementation
Take the control implementation plan from last step and implement security control
within the company.
Ensure the implementation process running well by monitoring the timeline,
responsibility, which built in the previous phase. Resource such as financial support,
equipment purchases need well prepared for implementation process.
Implementation report is important outcome after this action to ensure the process
finished on time and deal with unfinished mission. For difficulties faced in process,
report to the senior management personnel and take the advice to adjust the control
implementation plan and re-implement the security control.
42
3.3.1.1.5 Risk monitoring and control improvement
Evaluate the performance of current security control and improve the control method
is the main objective of this action.
For different risk mitigation plan, it cannot be sure that control method will prevent
the risk in a long term. Therefore, the monitoring process is vital in this case. It should
gather related information such as the change of company information system and
operational environment, the performance of current control method, etc. To
determine the new trend of risk, the suitability and usability of current risk mitigation
plan.
Eventually, analyse the risk status with likelihood and consequence to decide the new
risk treatment plan for existing or new risk. In addition, update the risk database is
another activity should be done in this case.
3.3.1.1.6 Communication
The most important activity in risk management process is the communication
between people in different level in the company. For instance, the communication
between equipment procurement staff and implementation personnel, the
communication should help two sides of people to determine the time of
implementation, to ensure the control implementation finished on time as scheduled.
Different stakeholder could have various options for the risk management plan and it
could influence the management plan eventually. It is important to communicate
between different stakeholders to avoid unnecessary effort and procure satisfaction in
the end.
3.3.1.2 Implementation plan
For achieve the best performance when process risk management plan, case study
company has developed an implementation plan in conjunction with risk management
process. There are three different phases in the plan: planning and preparation,
deployment and implementation, monitoring and improvement.
3.3.1.2.1 Planning and preparation
Before the initiation of risk management process, the planning and preparation is the
most important phase in the whole process. It should provide the suitable support for
43
the overall process. In this phase, different action should be taken for gain the best
performance.
Achieve the support include gain support from senior management team and other
related department in the company. For process the risk management, the resource
such as human, physical, financial and timing support should be provided. In addition,
senior manager need to be involved in the process, give the positive influence for
employees.
Understanding the current risk management situation is another important action
which needs to be processed before the actual implementation. Different risk
management situation will affect the implementation plan through a magnificent way.
Existing management strategies need to be confirmed to avoid unnecessary effort and
deployment.
Main processor and responsibility table needs to be established in this step. It could
include senior manager, risk management team, information security team,
information technology team, auditing staff, human resources department, financial
department, etc.
In addition, different responsibility should been assigned into certain personnel. Such
as information security team need involve in the risk analysis and evaluate security
control method in risk management process. IT group need provide company IT
structure and give suggestion to the risk management team. Human resources need
assign experienced and trained employee to work in different department. Financial
department need provide necessary finance support and control the budget, etc.
With well-defined responsibility in advanced, the risk management process could
process effectively in the company and easier to track task process rate during
implementation.
Preparation for risk identification and analysis
First, define the scope of risk management entity. It should consider the analysis of
current risk situation to define the management area, focusing on the business area
which related with information technology system and important IT support system.
Secondly, confirm the risk management personnel. The team should include risk
44
recorder, IT security and technical employee (better understanding of system
currently used in company), implementation controller, etc. External expert could be
haired for process risk management, however, the internal employee need to be
worked in conjunction with external personnel for comprehensive analysis. Moreover,
the plan for risk identification and analysis should be built before actual action. It
could improve the performance and effectiveness of process. In the other hand,
employee need be trained with expertise by experienced person.
The consideration of security control selection and implementation
The performance of risk control method is important element while choose the
security control. However, several considerations need be cautious during the method
selection.
Economic factor: the cost of control method should be lower than protected property.
In this case, cost benefit analysis need to be taken when design the security control. It
should include software, hardware, training cost, penetration testing cost, etc.
Timing factor: the constraint of timing needs to be considered.
Technical factor: the technical security control need consider the usability,
compatibility, etc.
Social, environment and law factor is other factors need to be considered such as
social culture, climate, physical environment, law consideration.
Control implementation plan form could detail the control implementation process.
The form could be designed by risk management team and senior manager and the
following detail should include in the form. The control method number, name,
method description, responsible person, implementation staff, recourse list, scheduled
time.
3.3.1.2.2 Deployment and implementation
With designed control implementation plan, the deployment should be processed in
the next phase. In this case, the communication between different departments is
essential to gain the succession in the implementation phase. In addition, set the
priority for implementation, supportive plan and other related documentation should
be considered during the process.
45
Security training should process in conjunction with implementation to improve the
employee security awareness, build security consensus throughout the whole
company. Security training could include three parts: user training, manager training
and security staff training.
User training: normal user is the important element in the risk management process.
Build the understanding of security awareness, the operational process to work with
security control, etc. could be considered in the training session.
Manager training: the supportive from manager level is vital in risk management
process. The objective and importance of risk management should be taught to senior
manager. In order to gain more support from senior management level by indicates
the threat in different department specifically.
Security staff training: the training should be taken to avoid misunderstanding threat
and vulnerability in various departments during risk management process,
improvement of technical skill.
All three training session should be built as an on-going activity to update the recent
management status and improve security awareness in the company.
3.3.1.2.3 Monitoring and improvement
Monitoring team has the responsibility to monitor the overall implementation process
and risk management process to ensure the security environment has been updated.
Moreover, the performances of different security control methods and implementation
plan is another important element in monitoring process. For maximum useability and
reliability of the risk management activity, the improvement after monitoring is
essential as well. Using collected information from different phases to modify the
overall process and framework, to provide a security environment for the company.
3.3.2 Case study company risk mitigation plan
In the risk management part, the risk treatment plan is dividing into two parts:
application level and data security level. Both levels have different security control
implementation, such as operational security control, technical method and
management control.
46
3.3.2.1 Application level security control
Inside the case study company, the importance of application level security has been
defined as the first priority in the company daily working process.
1. In the application security level control, user authentication is the first method that
used by company. Control method includes:
a). Ensure the non-reputation of each system user when process authentication
activity
b). System should have the ability to examine the user identity to avoid non-
authenticated user logged into the system.
c). User authentication information should contain several distinguishing features.
For instance, the length of the password, complicate of the identity method and short
password updated period.
d). System should have the ability to log out the system when facing multiple
trying login, connection overtime, etc.
2. Accessing control is the complicated process inside the system; the case study
company take the control criteria seriously when implement risk management plan.
a). Accessing control in the system should be designed to control by examine and
analysis the user accessing level according to the company security strategy.
b). Different system feature accessing and data modify authorisation should be set
by specific personnel which has been trained and contain related experience.
c). Accessing control need to cover the operation between each system entity,
which related with sensitive information?
d). Different accessing control method, it needs to cover various levels, such as
user, file and data.
e). Separate the accessing controls to different user to ensure the specific user
have the certain priority to conduct their work.
f). Analysis and setup the user accessing which minimise the un-useful priority
that related their job. It means assign the control with certain function that enough to
conduct the job.
g). Default user need to be strictly limited the accessing right.
47
3. Security auditing take the important position in the case study company, the overall
auditing process need be taken with experience personnel and try to avoid the auditor
who related with the company. Keep the objective of the report.
a). Auditing needs to cover every user in the application system.
b). Security auditing needs to record each incident that relates with information
security, it needs to include user activity and important system functional log.
c). The date, time, type of security incident and the result of certain activity need
to be well defined and recorded to ensure the completion and traceability of the
auditing report.
d). Protection method of security auditing report needs to be conduct to prevent
the unexpected modification, deletion of the report.
4. The residual information protection is another method to protect the information in
the company. Firstly, the user authentication information which is stored in the hard
disk or memory needs to be deleted before the operation of next user. Secondly, the
storage space that contains system files, directories and database records need to be
fully cleared before re-assigned to the new user. The deletion of the pervious user
information is important method to reduce the authentication information leaking or
system threat possibility.
5. The communication needs to be secured within any time when application
operating in the company.
a). Communication should be protected by cryptograph protection algorithm and
the user application should have the ability to examine the validation of encrypted
message.
b). If one side user face a long-term non-response incident, the system should end
the communication to secure the information transmission channel.
c). Initialisation verification should be conduct by designed cryptograph
protection method before the commutation established between each side
d). Sensitive information happened in the communication process; the system
need detect the certain information and encrypted the message to avoid unsecure
activity.
48
6. Software fault-tolerant is another consideration in the system that could potential
improved the system useability and reliability in the company.
a). Input data which through human machine interface and communication
interface should be verified.
b). The back-off function need to be included in the system to allow the operation
which conduct through human machine interface has the ability to back-off to specific
status.
c). Critical function need to be provided when system facing failure to assure the
implementation of necessary operation.
7. Resource control method could provide efficiency of the system through
controlling of connection entity in the network system.
a). Multiple concurrent sessions should be limited to a single user.
b). Maximum number of concurrent sessions needs to be limited in the
application
c). Limitation method of concurrent sessions also should be applied in a certain
period time.
8. Code security is important in the application to minimise the possibility of system
failure. Code security need to be examined before software release and ongoing
improvement should be taken to ensure the suitability, useability and reliability of the
application. The malicious code inside the software needs to be scanned. Moreover,
the vulnerability testing needs to be analysed inside the software before the releasing.
3.3.2.2 Data level security control method
The data security is the first priority in the company. Especially the company involve
in the Aerospace industry. For protect the data in the company, various method has
been used in the daily work. The completion, confidentiality of data needs to be
providing throughout the whole procedure.
For protect the data completion status, the system need has the ability to detect the
damage of data during the data management process, transmission activity and
operational phase. For prevent the data destroy or damage during those process, the
software protection method need to be involved in the procedure. For instance,
49
intrusion detection system, anti-virus software could provide suitable security
protection for the system. Apart from technical method, the employee security
awareness need to be trained as well, people is the most important resource in the
company, without enough security thinking in mind; it cannot guarantee the security
in the daily job.
The confidentiality of data also needs to be protected in the company. People are
important property in this case like the data completion protection. It covers whole
process which related with information technology security. Moreover, the network
equipment, operation system, data management system and software needs contain
certain protection method to secure the sensitive information. Data encryption is one
countermeasure in this case. Any portable and moveable device need to be encrypted
when transfer the sensitive information.
Internal and external network data exchange is another important procedure to ensure
the data useability and reliability in emergency circumstances. The process needs
have the ability to back up the vital information automatically, the system need to
define and select sensitive information to backup, the normal data need to be filtered.
Data need to be restored without long time consumption and error free. Moreover, the
important network equipment, communication line, and server configuration file need
to be backed up as well.
Internal and external network data exchange security method is focus on the security
level between different network environments. Company network environment has
self-design network to protect the potential threat from external network. The
following procedure could prevent the system damage or information losing which
influenced by external network.
1. Information import action only permitted from external to internal network.
Information in the internal network could be transferred inside the network.
2. Transmission between different networks needs controlled by data
transformation management system. The system need have the ability to detect illegal
data exchange and alert the related personnel.
50
3. Authentication and authorisation process should involve in the data exchange
process. Exchange activity need gain the permission from authorised employee and in
conjunction with recording and authentication process.
4. Auditing report and log process need to be generated during data exchange,
record the information such as time, date of data exchange, the operator, information
type, sensitive level, etc.
5. Equipment which used in data exchange need to be authorised and checked, to
avoid data leaking or virus attack in unsecure equipment.
3.3.2.3 Technical security control
There many security control method used in the company, there are include technical,
policy, operational and management aspect. In this section, the technical control will
be demonstrated. The six security parts is the main consideration in this technical
method, it covers most part of security system.
1. User security include user activity monitoring, host machine protection, user
authentication and certified and user visiting controlling.
2. Application security contain different user identify, server security strength
and security auditing.
3. System software security: operation system security, data system security.
4. Data security involves data backup, data encryption.
5. Network security is the relative important session in technical method, eight
sections included: firewall, intrusion detection system, critical equipment
backup, secure interface, encrypted transmission, anti-virus software, interface
monitoring software and external environment monitoring.
6. The last parts of technical control is physical security, it contains environment
security, equipment security, data storage security and radiation protection.
Apart from six technical perspectives, four platforms have been integrated into control
system as well. There are password management platform, user
identification/accessing control/authorisation platform, system security management
platform and network equipment management platform. Six parts technical method
runs rely on the four platforms, which provide management system to the whole
technical control method.
51
3.4 Discussion and improvement
3.4.1 Comparison
The case study company risk management framework has its own features which are
suitable for the company. However, compared with three international standards, it
still has some aspects that could be improved and the following section will focus on
the framework gap and the improvements that could be made after comparison.
As the same as three international framework, the three main steps: risk identification,
risk analysis and risk treatment has been covered in the company current framework.
3.4.1.1 Risk identification
Before the risk identification phase, context establishment process has been missed in
company framework which is important before the risk management. ISO 31000 and
ENISA indicate the importance of context building which could include internal and
external. In addition, NIST provides a system characterisation process which focuses
more on system perspective. Risk management policy is suggested by ENISA and
ISO 31000, it includes objectives for managing risk, management process, risk
management performance report, risk management review and improvement
commitment etc. which help the risk management process effectively in organisation.
Moreover, risk criteria are another important element in ISO 31000 to help companies
to prioritise the risk in risk treatment process.
In regards to risk identification process, company framework contains some
seminaries compared with three international standards. For instance, actions such as
threat identification, vulnerability identification, current control analysis and method
for information gathering have been included in all frameworks. However, few
differences show up in this case.
In threat identification, NIST suggests motivation analysis could be included to gain
better understanding of threat such as type and targeted personnel. ENISA and ISO
31000 indicate that the threat analysis could consider several parts such as origin,
consequence, results, reason for happen and time and location. Company framework
suggests that threat could be analysed by human and non-human.
52
In regarded to vulnerability analysis, NIST suggests information gathering techniques
for analyse vulnerable source such as IT security audit report, system software
security analyses and penetration testing. Company framework indicates three
vulnerability points: technical, management and operational.
NIST also introduces a two categories control analysis which is technical and non-
technical. The company framework provides a comprehensive explanation to indicate
the categories of current control.
However, some advantages can be found in company framework. Risk scenario which
is proposed by company framework could help the analyser to build a comprehensive
view related with risk. Risk database is another new idea which helps the future work
and fulfils the company risk inventory. Apart from general context establishment in
three international standards, information asset analysis could have better
performance in order to understand information material. The level categorised,
information formatting analysis could be more suitable when concentrating on the
highly sensitive information based company.
3.4.1.2 Risk analysis
Likelihood and impact analysis covers in four frameworks; and company framework
and NIST introduce the concept in details. System availability, data confidentiality
and integrity are the three main concerns to define risk impact in NIST. Company
framework focuses on financial losing after compromised. For determination of risk
level, NSIT and company framework suggest using of risk matrix to define the risk
level and prioritise the risk as the outcome of risk analysis. ISO 31000 and ENISA
introduce few analysis methods such as qualitative, semi-quantitative or quantitative
methods. In ISO 31000 and ENISA, organisation processors, stakeholder concern and
expertise decision, organisation risk attitude and tolerance has been introduced to help
with decision making.
3.4.1.3 Risk treatment (mitigation)
In this case, NIST proposes a well-explained and comprehensive plan for risk
mitigation. Company framework gives a clear description which related with
mitigation option. It includes risk avoidance, risk transformation, risk minimization
53
and risk acceptance and provide several examples for each option. However, NIST
indicates a risk mitigation strategy which provides a brief idea to build control
implementation plan. In regards to control category, company framework and NIST
provide recommended categories for conquer the risk: technical, operational and
management. In addition, some control examples are provided in this case. However,
apart from three main categories, NIST divides each category with several subsets:
supportive, prevention, detection and recovery. This instruction could help company
provide more effective control methods to against the risk.
Cost benefit analysis is another crucial action for control selection, NIST advices the
analysis to contain implementing effect, non-implementing effect, implementing cost,
and the cost differences between the implementing cost and system resource value.
Company framework takes purchase cost, implementation cast, continuing cost,
employee training cost as the elements in this process. Both methods have advantages
and the combination will become the best option when proceeding cost benefit
analysis. Cost benefit analysis is mentioned in ENISA and ISO 31000; however, the
detail has not been discussed in the framework.
ENISA and AS/NZS 4360 propose positive effect risk in this case, which can be used
by companies when risk occurs. It is the unique thinking in four frameworks. The
treatment plan could include improving the likelihood and impact of the risk, sharing
the opportunities with other parties, etc.
Control implementation plan design
Control implementation step which is suggested by NIST includes seven steps:
prioritise action, evaluate recommended control options, conduct cost-benefit analysis,
select control, assign responsibility, safeguard implementation plan and implement
selected control. Each step is well-defined and it is helpful when implementing
control.
Apart from NSIT detailed control implementation process, other three frameworks
have different concerns when implementing security control.
54
ISO 31000 ENISA Company
the reason for selection, the
responsibility of the risk
treatment, proposed action,
required resource, measuring
of performance, time and
schedule, etc
time for implement, required
resource, responsibility for
each risk, etc.
The control method number,
name, method description,
responsible person,
implementation staff,
recourse list, scheduled time.
Table 7 Element in implementation plan
All three frameworks indicate the importance of senior managers, expert support in
implementation process.
Residual risks are mentioned in three international frameworks, which should be
monitored through ongoing risk management activities and setting acceptance levels
for these risks. However, the awareness of residual risk is not mentioned in company
framework.
3.4.2 Possible improvements for case study company framework
Company framework contains some advantages compared with three international
frameworks. However, the improvements could be integrated for better performance.
Bringing the advantages from international framework could strengthen the company
risk management framework and provide stronger protection for case study company.
Risk management policy could be added into company framework to define the object
of risk management, process, expectation performance, etc. Risk criteria are another
missing element which could bring clear objective when making treatment decision. It
could include operational, technical, social, environmental criteria, timing and
likelihood etc. In addition, it could consider with organisation business policy when
designing the risk criteria.
3.4.2.1 Risk identification and analysis
In context establishment phase, the company does not define the specific context
which needs to be assessed in establishment process. For instance, NIST suggests
system characterization analysis and internal, external context which are mentioned
by ENISA and ISO 31000.
55
Threat analysis could involve motivation analysis to achieve the human threat area by
evaluating human motivation. In Regard to the motivation analysis, Robert (2007)
indicates that the cyber-crime motivation consists of power, revenge, politics,
excitement, etc. The political motivation has been increased recently year, such as
government sensitive information stealing. For commit the cyber-crime, opportunity,
inhibition and trigger are the main conditions that need to be met and three conditions
need to be conquered and eliminated to decrease the possibility of risk.
Current control analysis category should be suggested in the framework to guide the
risk management team to process the action.
In regards to risk impact analysis, apart from financial concern, system availability,
data confidentiality and integrity analysis also need to be integrated into company
framework, due to the importance of CIA in information assurance and security field.
In addition, the various support action should be included in risk analysis phase, such
as stakeholder concern, expertise support, organisation risk tolerance, etc. Qualitative,
semi-quantitative or quantitative risk analysis methods are considerable approaches
when analysing risk. In addition, according to Pollard et al. (2004), risk could be
identified through three ways: operational, programming, and strategic. It similar with
company framework; however, it indicates tools for different risk categories.
Operational: fault and event tree analysis, risk ranking, Hazard and operability study,
etc.
Programming: failure mode and effect analysis, GIS-based infrastructure risk model,
etc.
Strategic: multiple attribute analysis, scenario planning and analysis, etc.
The analysis methods which are mentioned here could be considered for framework
improvement. The method could be selected to fit the company environment.
3.4.2.2 Risk treatment
Subset of control category could be built to improve the effectiveness when mitigating
the risk. It contains supportive, prevention, detection and recovery. Cost benefit
analysis could be improved and insert several more elements, such as implementing
effect, non-implementing effect, implementing cost. As mentioned in comparison part,
56
the feasibility of incorporating the advantages of NIST and company framework
could be considered. The positive risk analysis should be included as a new
perspective when analysis risk treatment plan. Treatment plan also needs to consider
the motivation as mentioned in threat identification. To decrease the three conditions,
motivation analysis could become an effective method to manage potential risk.
Increasing attacking value and complexity of system could minimize the motivation
effectively (Harold et al. 2010)
Control implementation plan
Seven steps implementation plan which is introduced in NIST framework is
comprehensive and detailed; it could become a good example to consider in
organisations. Moreover, the timing, cost and resource planning are the crucial factors
which should be cautious when designing the implementation plan. Wang et al. (2008)
assert that the three elements of implementation planning should be considered to
ensure the effectiveness of implementation plan. The comparison between different
implementation plans should be associated with cost-benefit analysis (Peter et al.
2010) to define the cost-performance of each plan is the important choosing criteria to
make the suitable option for company.
Residual risk
The monitoring and continuing managing activity of residual risk should be processed
in companies and organisations. According to the Schneidewind (2009), several
actions have been suggested in the monitoring process. It contains suspicious
activities monitoring, sensitive data monitoring such as web server, router, firewall
and intrusion detection system logging, that could be monitored and analysed the
security status. With the new countermeasure emerges in security area and the
residual risk could be conquered in the future. The ongoing preventions need to be
concerned.
In regard to the monitoring process, the understanding of current risk condition is
important (Schneidewind 2009). Several measurements could be included in the
monitoring process, such as the statistics of Internet attack frequency in the company,
Internet attack, reported Internet attack, successful attack, duration of attack, financial
57
impact of Internet attack and targeted system. With the informative statistic report, the
improvement of risk management could be more effective and apparent.
58
4 Conclusion
Three international frameworks (NIST SP800-30, ISO 31000, ENISA) which
reviewed in this thesis have their own advantages and shortages. NIST gives a
specific and comprehensive risk assessment and risk mitigation activities process. In
addition, each process has been well defined in each chapter and this detailed
explanation could help the organisation process the risk management within a more
effective and organised way. More comprehensive analysis during threat and
vulnerability analysis, impact and likelihood evaluation, control selection, etc. should
improve the risk security level dramatically. In this case, the NIST provide a suitable
framework to deal with the risk assessment and mitigation process to gain the
maximum performance. In the meantime, ISO 31000 has less detailed assessment and
mitigation strategy; however, other filed such as mandate and commitment, risk
management policy building, internal and external communication and reporting
policy design is other features which could improve the risk management process by
focusing on useful operational and management point of view. In regard to the
preparation before risk assessment, some actions which suggested in ISO 31000 could
bring the positive effect to the company. The risk management policies such as
operation procedure and management activity is important when achieve the goal;
mandate and commitment could provide the baseline and foundation for the risk
management process. ENISA also introduces some useful features such as
communication policy, risk analysis method (qualitative, semi-quantitative and
quantitative analysis.), risk treatment method like treatment plan for positive risk, etc.
Each of three frameworks has different features which could be used in risk
management process.
In regard to company framework, the two phases of risk management framework (risk
management process and implementation plan) is a unique feature which divides the
59
entire framework into two different parts which relates with technical aspect,
management and operational aspect. Different parts have their own objective to
process risk management simultaneously and manage whole process circle. Some
other features such as risk database could help the organisation understand the risk
situation and risk inventory, risk scenario used by analyser could improve the
understanding of situation and efficiency of analysis. In addition, improvements such
as risk management policy, motivation analysis, residual risk analysis and monitoring,
detailed control implementation process could be added into company risk
management framework to increase the suitability and useability. With the integration
of these methods and concerns, the company framework will achieve the better
performance in the future when conduct risk management process.
The risk could not be avoided during the business process in company. For decrease
the damage which caused by risk and prevent the company property under dangerous
situation, certain methods should be utilised in the company. In this case, the risk
management framework is one of the suitable and usable techniques to mitigate and
eliminate the risk. Comprehensive risk management framework built within company
could bring the positive consequence when deal with the risk. For effective
implementation and different concerns, the suitable risk management framework
should be chosen before the risk management process. It should consider the company
size, social environment, human effect, the location of company, government standard,
etc. The process could be different due to the various factors which company has.
With the implementation of risk management framework, the company and
organisation property such as personnel, resource, reputation could be prevented and
the effect of risk could be decreased to an accepted level.
60
References
Amoroso, E, G, 2011, "Cyber-attacks: awareness," Network Security, vol. 2011, pp.
10-16
Australia, S, 2009“Risk management – Principles and guidelines”, Standard Australia,
AS/NZS ISO 31000:2009
Australia, S, New Zealand, S, 2004, “Risk management”, Standard Australia and
Standard New Zealand, AS/NZS 4360:2004.
Barati, S and Mohammadi, S, 2008, "Enhancing Risk Management with an efficient
risk identification approach," in Management of Innovation and Technology, 4th
IEEE International Conference, pp. 1181-1186.
China, A, S, E, C, “About us”, China Aerospace Systems Engineering Corporation,
viewed 28th
May 2012
<http://www.casec.cn/hp_gywm.htm>
China, A, S, I, C, “about us” China Aerospace Science and Industry Corporation
(CASIC), viewed 22nd
May 2012:
<http://www.casic.cn/n101/index.html>
Choo, K, K, R, 2011, "Cyber threat landscape faced by financial and insurance
industry." Trends and Issues in Crime and Criminal Justice 408: 1-6
Choo, K, K, R, 2011, "The cyber threat landscape: Challenges and future research
directions," Computers & Security, vol. 30, pp. 719-731
Contos, B, T, 2007, Chapter 1 - Cyber Crime and Cyber Criminals 101. Enemy at the
Water Cooler. Burlington: Syngress.
61
Ekelhart, A, Fenz, S, and Neubauer, T, 2009, "AURUM: A Framework for
Information Security Risk Management," in System Sciences, 2009, 42nd Hawaii
International Conference, pp. 1-10.
European, N, I, S, A, 2006, “Risk Management: Implementation principles and
Inventories for Risk Management/Risk Assessment methods and tools”, European
Network and Information Security Agency
Gaidow, S and Boey, S, 2005, Australian Defence Risk Management Framework: A
Comparative Study. DTIC Document.
Gordon, L, A, Loeb, M, P, and Sohail, T, 2003, "A framework for using insurance for
cyber-risk management," Commun. ACM, vol. 46, pp. 81-85
Jane’s I, P, 2011, “China Aerospace Science and Industry Corporation (CASIC),”
Jane’s Information Group, 6 May 2011.
Jian, Z., Suling, J, Wen, L, T and Qi, W, 2008, Risk control and implementation
planning in IS project. Industrial Engineering and Engineering Management, 2008.
IEEM 2008. IEEE International Conference, pp. 1013-1017.
Jung-Ho, E, et al., 2010, "Qualitative initial risk analysis for selecting risk analysis
approach suitable for IT security policy," in Information Theory and Information
Security (ICITIS), 2010 IEEE International Conference, pp. 669-673.
Katsumata, P., Hemenway, J. and Gavins, W, 2010, Cybersecurity risk management.
MILITARY COMMUNICATIONS CONFERENCE, pp. 890-895.
Khidzir, N, Z, Mohamed, A, and Arshad, H, N, 2010, "Information security risk
factors: Critical threats vulnerabilities in ICT outsourcing," in Information Retrieval
& Knowledge Management, (CAMP), 2010 International Conference, pp. 194-199.
62
Linjie, C, 2011, "The growth risk identification method of small and medium real
estate brokerage business," in Mechanic Automation and Control Engineering
(MACE), 2011 Second International Conference, pp. 2714-2717.
Lin, M, Wang, Q, and Li, J, 2005, "Methodology of Quantitative Risk Assessment for
Information System Security Computational Intelligence and Security." vol. 3802, pp.
526-531
Mathew, A. R., Hajj, AL Ruqeushi, K. 2010, Cyber crimes: Threats and protection.
Networking and Information Technology (ICNIT), 2010 International Conference, pp.
16-18.
Medeiros, E, Cliff, R, Crane, K and James D. Mulvenon, 2005, “A New Direction for
China's Defense Industry,” RAND Corporation, vol.334, p. 53.
Microsoft, 2009, The surprising risk of counterfeit software in business, Microsoft
Corporation, viewed 24th
May 2012:
<http://www.google.com.au/url?sa=t&rct=j&q=the%20surprising%20risks%20of%20
counterfeit%20software%20in%20business&source=web&cd=1&ved=0CFMQFjAA
&url=http%3A%2F%2Fdownload.microsoft.com%2Fdocuments%2Frus%2Fantipirac
y%2FSurprising_Risks_of_Counterfeit_in_Business_Final.pdf&ei=XoPUT7aYBuuW
iQf0ssz7Ag&usg=AFQjCNEXFQl-XjlTyFh3VtQxzgOI5F8tZg&cad=rja>
Murtaza, M, B, 2011, "Developing An IT Risk Assessment Framework." Review of
Business Information Systems (RBIS) 11(4): pp. 69-76
National, C, S, S, “Counterfeit Software: What’s the Risk?”, National Cyber Security
Alliance, viewed 24th
May 2012:
<http://www.staysafeonline.org/blog/counterfeit-software-what%E2%80%99s-risk>
NTi, 2012, “China Aerospace Science and Industry Corporation (CASIC)”, viewed 8th
September 2012:
<http://www.nti.org/facilities/63/ >
63
NTi, 2012, “China Aerospace Science and Technology Corporation (CASC)”, viewed
8th
September 2012:
<http://www.nti.org/facilities/64/>
Pardue, H., Landry, J. and Yasinsac, A, 2009, A Risk Assessment Model for Voting
Systems using Threat Trees and Monte Carlo Simulation. Requirements Engineering
for e-Voting Systems (RE-VOTE), 2009 First International Workshop, pp. 55-60.
Pollard, S, J, T, Strutt, J, E, Macgillivary, B, H, Hamilton, P, D and Hrudey, S, E,
2004, Risk Analysis and Management in the Water Utility Sector: A Review of
Drivers, Tools and Techniques. Process Safety and Environmental Protection, pp.453-
462.
Queensland, G, 2001, Information Risk Management Best Practice Guide. Viewed
28th
May 2012:
<http://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rj
a&ved=0CCoQFjAA&url=http%3A%2F%2Fwww.qgcio.qld.gov.au%2FSiteCollecti
onDocuments%2FArchitecture%2520and%2520Standards%2FInformation%2520Sta
ndards%2FCurrent%2Friskmanagementbpg.doc&ei=_EWQUKSWAaa4iQfe2oD4CQ
&usg=AFQjCNEcmi4nX-fOmaGr59U2-JtHrjl1kw>
Sadiq, M, et al., 2010, "Software risk assessment and evaluation process (SRAEP)
using model based approach," in Networking and Information Technology (ICNIT),
2010 International Conference, pp. 171-177.
Schneidewind, N, 2009, Cyber Security Prediction Models, Chapter 14, pp.305-332
Stokes, M, A, 1999, “China's Strategic Modernization: Implications for US National
Security,” Army War Coll Strategic Studies Inst Carlisle Barrack, p. 165.
Stoneburner, G, Goguen, A, 2002, "Risk management guide for information
technology systems" NIST special publication 800(30): 800–830
Syalim, A, et al., 2009, "Comparison of Risk Analysis Methods: Mehari, Magerit,
NIST800-30 and Microsoft's Security Management Guide," in Availability,
Reliability and Security, 2009. ARES '09. International Conference, pp. 726-731.
64
Tohidi, H, 2011, "The role of risk management in IT systems of organizations,"
Procedia Computer Science, vol. 3, pp. 881-887
Xue, C, et al., 2011, "Study on Risk Evaluation of Enterprise Information Systems,"
Procedia Engineering, vol. 15, pp. 1889-1893
Zambon, E, et al., 2007, "Model-Based Mitigation of Availability Risks," in Business-
Driven IT Management, 2007. BDIM '07. 2nd IEEE/IFIP International Workshop, pp.
75-83.