integrated, business-oriented, two-stage risk analysis · −compliance with risk management...
TRANSCRIPT
Proceedings of the International Multiconference on ISSN 18967094 Computer Science and Information Technology, pp. 617 – 628 © 2007 PIPS
Integrated, BusinessOriented, TwoStage Risk Analysis
Andrzej Białas, Krzysztof Lisek
Institute of Innovations and Information Society40954 Katowice, ul. Wita Stwosza 7, Poland
{Andrzej.Bialas, Krzysztof.Lisek}@insi.pl
Abstract : This paper presents an integrated, businessoriented, twostage risk analysis method related to the Information Security Management Systems (ISMS) concept. The current state of the work is presented, including risk analysis methods and their implementation. The concept assumes the integration of preliminary overviews as well as high and lowlevel risk analyses. Highlevel risk analysis works with the needs of business processes and presents criticality of these processes. Lowlevel risk analysis works with assets and selects safeguards in a costeffective manner. It is assumed that the presented risk analysis concept can be used in other management systems: business continuity and IT services management. The paper concludes the current state of the work and defines its further directions.
Keywords: Information security management, Risk analysis.
1 Introduction
The paper presents a businessoriented approach to risk management for information and ebusiness management. Risk management is a significant part of the extended version of the ISMS framework [1], [2], based on the PDCA (PlanDoCheckAct) scheme.
Presentday Information and Communication Technologies (ICT) are widely used for the management of large businesses, critical information infrastructures, or emerging eservices, upholding ebusiness, egovernment or ehealth applications. This situation deman ds technically and economically efficient solutions that should provide the right assurance for their stakeholders and users. Such demands can be satisfied by the common approach which takes into account: − the needs of business processes with respect to information and eservices security, − effective use of ICT providing managed IT services for business processes,− detailed risk characteristics, including cost/benefit aspects,
617
618 Andrzej Białas, Krzysztof Lisek
− dependable and trustworthy solutions providing the right assurance.Most of these issues are addressed in the information security management
systems, where all activities concerning information security are based on risk analysis. Risk analysis is the key to establish a costeffective and businessoriented management system. For this reason, the authors have developed a new approach to risk management with the following main assumptions: − possibility to thoroughly recognize business processes and management
expectations; − gradation of business processes with respect to security; − enhanced, twostage, UMLmodelbased risk analysis that allows to assess the risk
according to qualitative and/or quantitative measures, with a builtin ROI (Return on Investment) type mechanism that allows to select different safeguards;
− compliance with risk management requirements contained in ISO/IEC 27001 [1] and further requirements which will be contained in ISO 27005 (currently under development). The concept of a twostage risk analysis for riskbased information and eservices
security management has been elaborated on the basis of: − a study of the needs and requirements of various organizations,− an analysis of the current state of standards, legal requirements and technology
(overview of existing methodologies and tools), − experiences sampled during deployment and case studies prepared in the course of
the specific targeted project “Complex information and services security management system” [3]. The paper presents a holistic approach to risk management which allows to create a
businessoriented and highly integrated risk analysis. The paper also concludes the current state of the work and defines its directions for the nearest future.
2 Needs and Requirements for BusinessOriented Risk Analysis Compatible with ISO/IEC 27001
Modern organizations, which want to ensure information security of their assets, need to establish and maintain effective information security management systems. These systems, in turn, must integrate a well balanced set of safeguards selected on the basis of the existing risks and business needs. Thus the following requirements were formulated to better specify the characteristics and needs of the organizations for a risk analysis compatible with ISO/IEC 27001:
Integrated, BusinessOriented, TwoStage Risk Analysis 619
− topdown approach – beginning from preliminary organization overviews, security needs of business processes analyses, high and lowlevel risk analyses; the implemented ISMS is refined step by step but still focuses on business needs [4, 5];
− identification of the needs of business processes and criticality of these processes; − identification of basic factors influencing the security of each asset, related to the
given business process, e.g. possible threats, possible vulnerabilities, environment; − possibility to select costeffective safeguards and create a risk treatment plan; − possibility to use some elements of the risk analysis in the risk management part of
business continuity management and IT services management contained in the Integrated Security Platform (ISP) [4].
3 Summarizing the Current State of the Art
The development of risk analysis requires to perform an extensive study of the current state of the art including all available risk management standards, recommendations, best practices, guidelines, case studies, methodologies, their implementations and renowned supporting tools, particularly: − key standards dealing with information security management systems, i.e. ISO/IEC
27001 and ISO/IEC 17799 (now ISO/IEC 27002) – to properly understand the ISMS implementation requirements in the field of risk management;
− auxiliary documents, i.e. IT security and risk management methodologies, such as: ISO/IEC [6], US NIST publications [7], German IT Grundschutz [8]–to supplement or extend the risk analysis features and facilities; the motivation for twostage risk analysis methodology (called “combined approach”) is discussed in [6];
− state of the art in business processes modelling – to identify their relationships with the above mentioned management systems, especially information security and IT services; “business orientation” is the key issue for the risk analysis;
− methods and tools related to risk management in the information security domain; − ICT and general technical issues (communication protocols, network equipment,
cryptographic applications, physical protection) – as a context of risk management; − business continuity management, e.g. [9], IT services management [10], [11], as
well as quality, environmental, occupational safety and health management systems which coexist in the organization – to better understand risk management requirements in such systems;
− potential sources of statistical information on threats – to serve as input data in risk analysis. There are a number of t ools, like Cobra [12], Cora [13], Coras [14], Cramm [15],
Ebios [16], Ezrisk [17], Mehari (Risicare) [18], Octave [19], and Riskpack [20] that
620 Andrzej Białas, Krzysztof Lisek
specialize in risk management. However, they do not cover all aspects of businessoriented risk analysis compatible with ISO/IEC 27001. They focus on IT aspects only or do not set enough store by the significance of business process for the organization. Ebios can perform a detailed risk factors analysis but cannot operate on monetary values during the risk analysis. Cora can perform the ROI analysis. There is a UMLbased advanced model of risk implemented in Coras, which uses the safety risk management methods (Hazop, FME(C)A, FTA) and allows a simple causality analysis. The available risk analysis methods focus rather on a detailed risk analysis for the whole of ICT systems in the organization. Only [8], [21] assume to implement the combined approach [5] which allows to identify the security domains of similar security requirements during the preliminary high level risk analysis. In the further course of the process, this approach also allows to perform a detailed risk analysis only for the critical domains, and to apply baseline protection for others. Thanks to this approach it is possible to avoid a costly detailed risk analysis for the entire organization, however it is not fully compatible with ISO/IEC 27001.
Please note that the assets inventories that focus on risk management are different from those that focus on security, business continuity or IT services management. Additionally, there are some differences between risk analysis requirements in such systems. Mehari and its Risicare risk supporting tool are able to identify relationships between IT service quality and risk value.
Risk analysis also need s some sources of information about threats. This information helps to prepare a better risk analysis based, to the highest possible extent, on real factors. Currently, these sources are scattered and the information has to be obtained from different places, e.g. information about current levels of threat in the Internet can be obtained from the Polish CERT [22].
There are a few risk analysis methods and tools but each of them is only partially compliant with the optimum risk analysis characteristics described above. The review of the current state of technology, including standards, best practices, methods and tools, helped to select the most useful features for risk analysis and to develop new features, especially in terms of business flexibility and usability.
4 Concept of BusinessOriented Risk Analysis
Information security management, safeguards selection, and incidents management are based on a fundamental risk analysis. According to ISMS requirements, every asset of the organization should be identified. Moreover, for each of these assets it is necessary to identify threats, vulnerabilities and impacts that may cause losses of information confidentiality, integrity and availability. In the end, a satisfactory risk
Integrated, BusinessOriented, TwoStage Risk Analysis 621
treatment plan should be made. Although the risk analysis is compliant with the ISO/IEC 27001 requirement, such risk management is too flat in relation to today’s business needs. In modern organizations, the management focuses on business processes, their optimization and security [23]. Therefore, modern risk analysis also should be businessoriented and should include business processes in the risk assessment approach.
class Risk analysis model
Business oriented, two stage risk analysis
High-lev el risk analysis Low-lev el risk analysis
Fig. 1. Businessoriented, twostage risk analysis.
The results of the preliminary business analysis conducted in the above mentioned specific targeted project [3] allow to define a concept of businessoriented risk analysis which carries out a holistic approach to all aspects of risk management, as it is shown in the Fig. 1.
T he twostage risk analysis concept is based on earlier works [4], [5]. During the development process new factors and an integrated method of safeguards selection were added. The factors are responsible for visualizing a mutual relation between business processes and assets. The risk analysis divides all tasks connected with risk management into two stages: one for the tasks connected with security assessment of business processes (highlevel risk analysis) and the second for the tasks connected with security assessment of assets related to these business processes, to perform the risk treatment and selection of safeguards (lowlevel risk analysis).
4.1 HighLevel Risk Analysis
High level risk analysis comprises the first phase of the risk management process and detects the level of information security risk for each business process recognized in the organization. This part of the analysis is responsible for creating the image that
622 Andrzej Białas, Krzysztof Lisek
presents the state of business processes criticality for the organization with respect to information security.
During this phase of risk management every identified business process is analyzed in terms of confidentiality, availability and integrity. The analysis process is based on information obtained as a result of preliminary activities conducted prior to the analysis. Most important are the results of the general organization overview prepared in accordance with the Organization Overview Criteria (OOC) [4], as well as the results of the detailed organization overview prepared in accordance with the Basic Security Needs Criteria (BSNC) carried out in the phase of the ISMS implementation prior to risk analysis. Risk management encompasses the following steps indicating what should be done for every business domain: 1. Characterize business processes criticality for the organization (C4O) 2. Characterize business domain dependency on ICT (ITDD), man dependency
degree (MDD), and the dependency on other predefined criteria (xDD). 3. Identify protection needs (PN) concerning integrity, confidentiality and availability. 4. Determine business impact (BI) concerning integrity, confidentiality and
availability. 5. Calculate highlevel risk (HLRx) concerning integrity, confidentiality and
availability. Highlevel risk HLRn (where n stands for, respectively: I for integrity, C for
confidentiality and A for availability) accumulates the levels of C4O, ITDD, MDD, xDD, PNn, and BIn in the following way:
HLRI [ j ]=C4O [ j ]∗ ITDD [ j ]MDD [ j ] xDD [ j ] ∗PNI [ j ]∗BII [ j ] (1)
HLRC [ j ]=C4O [ j ]∗ ITDD [ j ]MDD [ j ]xDD [ j ] ∗PNC [ j ]∗BIC [ j ] (2)
HLRA[ j ]=C4O [ j ]∗ ITDD [ j ]MDD [ j ]xDD [ j ] ∗PNA[ j ]∗BIA[ j ] (3)
Aggregated results represent g eneral security importance HLR of the jth business process:
3
][][][][
jHLRAjHLRCjHLRIjHLR
++=
(4)
where j represents the jth business process.
Integrated, BusinessOriented, TwoStage Risk Analysis 623
0
2
4
6Process 1
Process 2
Process 3Process 4
Process 5
Current HLRvalue
Average HLRvalue fororganization
Fig. 2. Security risk map diagram.
Finally, based on HLR[j] results, it is possible to create a security risk map (SRM) for the whole organization, presented in the Fig. 2. SRM graphically presents the calculated level of information security for each business process in relation to the average one. With SRM, most critical business processes for the organization can be recognized to better perform the detailed risk analysis and risk treatment process.
4.2 Lowlevel risk analysis
Lowlevel risk analysis i s the next important phase of the risk management process. Its objective is to identify and determine the risk volume for each asset which is vulnerable to threats and, at the same time, exposed in the threat environment. The preliminary version [5] is enhanced and new factors, representing business security needs are added. The risk volume is a function of the following: • Asset value• Event possibility• Vulnerability severity• Efficiency of the existing or planned controls• Special factors related to business processes, to which a given asset belongs.
The risk analysis comprises the identification of all possible risk cases and then the estimation of the risk volume. In other words, one has to identify all potential events which may have negative influence on the organization’s operations and whose source are IT systems and their environment. Then the event possibility is estimated. Other factors that have to be assessed are threats severity and the probability of their occurrence in reality. This negative influence is the so called impact related to the loss
624 Andrzej Białas, Krzysztof Lisek
or violation of assets. The negative events possibility depends on many factors that have to be taken into account in the above mentioned estimations:• how attractive is a given asset to the potential intruder?• what is event possibility or frequency of occurrence?• how easily can the asset vulnerability be exploited?• what is the impact for a business process resulting from loss or violation of a given
asset? Lowlevel risk analysis uses the information about assets gathered in the Common
Assets Inventory (CAI) [4]. The most important one is the assets business value which says how much a given asset is worth for the organization. Risk value can be estimated by means of the Courtney method which assumes that risk value is the product of two factors: the occurrence rate of the event (event possibility) and the volume of its consequences. Since it is difficult to obtain reliable data on the occurrence rate, it is estimated indirectly. We propose the following: the product of threat severity (TS) and vulnerability severity (VS), with respect to their maximal values. The discrete predefined measures are used. Below, one can find a risk volume assessment method that is an extension of this concept.
Risk value (RV[i]), determined in the course of the ith analysis and expressed with respect to an arbitrary point scale applied to estimate the value of the organization’s assets, is:
[ ] [ ] [ ]iPIFiRFiPSiAVTSVS
iTSiVSiRV
MAXMAX
***][*][][
][∗∗=
(5)
where VS[i] is vulnerability severity level; VS MAX – maximum arbitrary level of vulnerability severity; TS[i] – threat severity level; TS MAX – maximum arbitrary level of threat severity, AV[i] – asset value in points estimated in the course of the ith analysis, PS[i] – proportional asset value loss as a result of the threat analyzed in the ith analysis, RF[i] – risk factor representing the business process level of criticality, and PIF [i] – process impact factor.
The latter two factors show a mutual relation between business processes and assets, therefore they need some explanation. Risk factor (RF) is calculated the basis of highlevel risk analysis, where the most critical business process has the maximum value and the least critical one – the minimum. The other processes have the RF value calculated proportionally to the HLR value. RF has the same value for each asset in the same business process. Process impact factor (PIF) represents business process loss in the effect of asset loss or violation for the analyzed threatvulnerability pair. PIF is assessed for each asset in the given business process.
Comparing the volumes of RV[i] (in the step i) and RV[i+1] (step i+1) allows to estimate the effect of the controls applied to reduce RV[i]. The volumes of VS[i+1]
Integrated, BusinessOriented, TwoStage Risk Analysis 625
and TS[i+1], with respect to the new situation (proposed controls implemented), are estimated and on this basis RV[i+1] is calculated. In other words, it is possible to estimate the efficiency of the actions undertaken.
Each organization should keep under control not only its security but also the cost of achieving and maintaining this security. The objective of all activities and investments in the domain of security is to improve the organization’s position on the market or in the society. Economic efficiency can be achieved when one simple rule is obeyed – one should apply only those security measures which are necessary and sufficient. This can be done by implementing more and more efficient management methods and tools which combine qualitative and quantitative (monetary) methods and allow simple cost/benefit analyses, including ROI. The calculation covers current situation values (i) and new safeguards values (i+1).
[ ] [ ][ ] [ ]iSCiSC
iRVCiRVCROI
−++−=
1
1
(6)
R isk value expressed in currency RVC can be presented as:
][*][][ curUViRViRVC = ( 7 )
where UV [cur] is unit value expressed in currency. Safeguard s costs (SC) should be calculated with respect to comparable periods of
time (the best thing to do is to give their average annual values). In case a given safeguard is purchased, the value in question will not be its total purchase cost but the value depreciated in the course of a given year plus the cost of work devoted to the maintenance of the safeguard throughout the year.
After analyzing different variants of safeguards (having different cost and risk reduction possibilities), the most costeffective variant is chosen for implementation. This way the organization always chooses the safeguards that are most suitable to the needs of its business processes and, on the other hand, are economically justified.
Example 1. Simple lowlevel risk analysis The s ample organization has “Asset 1” working in “the business process of marketing”. Previous risk assessment for this asset gives the following information:
RV[i] = 157 assessed current risk value, RVC[i] = 15 700 € assessed annualized risk value in currency, SC[i] = 1 000 € current annualized safeguards cost, RF [i] = RF [i+1] = 6 criticality of marketing process (derived for high
level risk analysis).
626 Andrzej Białas, Krzysztof Lisek
Asset 1 starts to be used in a very important project and the risk needs to be reduced below 100. Risk reduction can be achieved by choosing 1 of 3 different possible safeguards having different costs presented in Table 1. For each of them the risk was assessed:
Table 1. Simple lowlevel risk analysis
Safeguards SC[i+1] RV [i+1] ROI1 1 500 € 99 11.62 5 000 € 50 2.6753 3 000 € 80 3.85
The best choice is safeguard 1 because it has a risk level acceptable to the organization and, additionally, has the best ROI value of the analyzed safeguards.
5 Conclusions
There are a lot of met hods and tools developed in the realm of risk security analysis. They need constant improvement to catch up with the development and dissemination of new technologies in different areas of business and society. The paper deals with the risk analysis method addressing the needs of business processes. The motivation for the businessoriented, holistic, twostage risk analysis includes the following: − the need to integrate assets risk analysis with the business processes information
security needs,− the need to provide modular and scalable solutions for different types of
organizations, − the need to provide an enhanced risk analysis method adaptable to other riskbased
systems (business continuity management, IT services management). Please note that the presented method facilitates continuous risk analysis in the
organization. The assumptions for this project were specified and evaluated on the basis of: − the investigation of needs and requirements concerning risk analysis in different
management systems which deal with business processes, their information security, continuity, IT services, quality, environment, etc.,
− the current state of technology and standards overview.The concept of two stage risk analysis was validated in the course of the specific
targeted project [3]. Within the project a case study workshop was conducted during which the process of risk assessment was tested in the area of change management in the software accessible on the basis of outsourcing agreements. Additionally, a
Integrated, BusinessOriented, TwoStage Risk Analysis 627
computer supporting tool is being developed on the basis of the presented risk analysis method. During this process some elements must be developed, including the following: − support to graphical business processes modelling, − analytical and statistical facilities,− preconfigured risk scenarios for different types of assets.
The ROI model should be extended to consider progress in IT technology – more efficient safeguards can be cheaper thanks to this progress. In the future the presented businessoriented, twostage risk analysis method can be used in other riskbased management systems, such as business continuity management or IT services management. This will be possible thanks to the use of the RF and PIF factors that link business processes and their security needs with assets risk analysis and describe the criticality of these processes. According to the latest information from ISO/IEC [24] there are efforts to base other management systems (i.e. quality) on risk, so this method can be used more widely.
References
1. ISO/IEC 27001. ISMS – Requirements (2005). 2. ISO/IEC 17999. Code of practice for information security management (2005).3. Reports from the specific targeted project No 6ZR9 2005C/06667 Complex information
and services security management system, ISS/EMAG, COIG S. A., 20062007, (in Polish).
4. Białas A.: Development of an Integrated, Riskbased Platform for Information and Eservices Security, In: Górski J.: Computer Safety, Reliability, and Security, 25th International Conference SAFECOMP2006, Springer Lecture Notes in Computer Science (LNCS4166), Springer Verlag Berlin Heidelberg New York 2006, ISBN 3540457623, pp. 316329.
5. Białas A.: Bezpieczeństwo informacji i usług w nowoczesnej instytucji i firmie (Information and services security in a modern organization and company), WNT Publishing House, Warsaw 2006 (in Polish).
6. ISO/IEC 133353, Guidelines for the management of IT Security (GMITS), Part 3.7. National Institute of Stand ards and Technology, http://www.nist.gov 8. IT Grundschutz, http://www.bsi.bund.de9. BS 25999 1. Business continuity management, Part 1: Code of Practice (2006).10. ISO/IEC 200001. IT – Service management, Specification (2005).11. ISO/IEC 200002. IT – Service management, Code of practice (2005). 12. Cobra. http://www.riskworld.net 13. Cora. http://www.istusa.com/ 14. Coras. http://coras.sourceforge.net
628 Andrzej Białas, Krzysztof Lisek
15. Cramm. http://www.ogc.goc.uk 16. Ebios. http://www.ssi.gouv.fr 17. Ezrisk. http://www.ezrisk.co.uk/ 18. Mehari, Risicare. http://www.clusif.asso.fr ; http://www.risicare.fr/ 19. Octave. http://www.sei.cmu.edu 20. Riskpack. http://www.cpacsweb.com 21. Białas A.: The ISMS Business Environment Elaboration Using a UML Approach, In:
Zieliński K., Szmuc T. (eds.): Software Engineering: Evolution and Emerging Technologies. IOS Press Amsterdam (2005) pp. 99110.
22. CERT Polska. http://www.cert.pl 23. Rummler G. A., Brache A. P.: Improving Performance: How to Manage the White Space
in the Organization Chart, 2nd Edition, JosseyBass Inc. Publishers 1995, ISBN: 9780787900908.
24. Andrukiewicz E.: ISO/IEC 27005 – Zarządzanie ryzykiem w procesie budowania systemu zarządzania bezpieczeństwem informacji (Risk management in the process of building an information security management system), Presentation from the Conference: Wyzwania bezpieczeństwa informacji (Information Security Challenge), Warsaw 2006 (in Polish).