Information Systems Risk

Analysis and Management

Spyros Kokolakis
University of the Aegean
IPICS 2005, Chios, 18-29 July 2005

Much about technology

Information and Communication
Technologies Security

Networks
Wireless
Databases
Internet
Smart cards
Keys
Cryptography
Intrusion detection
..

Real world

IS or ICT Security?
Information and Communication
Technologies Security
Confidentiality, Integrity, Availability etc.

Information System
An Information System comprises five
interdependent elements: hardware,
software, data, procedures, and people.
These elements interact for the purpose of
processing data and delivering information.
An IS exists to serve an enterprise or
organization and, consequently, it may only
be studied in the context of the organization
it serves.

Information Systems
overview

How to fit security in the

picture
Having people as part of the system
we can forget any simple solutions.
IS security has no strict definition
Security is a kind of feeling
Are you secure? or Do you feel secure?
Whats the right question?

Example: Airport security

List of possible measures

1. Scissors etc. not allowed
2. ID check (photo ID must be presented)
3. Only the person named on the ticket can
travel
4. X-rays
5. Lighters are not allowed anywhere in the
airport (its time to quit smoking)
6. Biometrics
7. Boot your laptop to see if it has a battery
8. Lock the captains cabin
9. Armed guards on board
10. Interview all passengers before boarding

In such a complex
environment
Total security is out of the question
Peoples behaviour is unpredictable
We cannot account for all possible threats
and we cannot detect all vulnerabilities.
Security costs money; and also time,
people and other resources.

So, what shall we do?

Risk analysis &

management
We need to employ methods that will
allow us to measure the risk
associated with the operation of an
IS, in order to take measures
analogous to the level of risk.
We need risk analysis and
management methods

What is Risk and how to

measure it
Risk is determined by the following
factors
Assets (A)
Impact (I)
Threats (T)
Vulnerabilities (V)

R= f(A, I, T, V)

Assets, Impacts, Threats &

Vulnerabilities
Assets; what needs protection
Business impact is the outcome of a
failure to protect the assets of the IS.
Threat is any action or event that may
cause damage to an Information
System.
Vulnerability is a characteristic of the
IS that may allow a threat to succeed.

Conceptualisation of IS Sec

Risk analysis &

management

Risk management methods

There are more than 100 methods
CRAMM
MARION
SBA
OCTAVE

SBA (Security By Analysis)

Developed in Sweden in the early 80s
Very popular in Sweden and other
Scandinavian countries
Focus on people
People involved in every day operations
have a better chance to identify problems

A set of methods
SBA check
SBA scenario

CRAMM
CCTA Risk Analysis and Management
Method
Developed in the UK in the late 80s
Used in many countries; it has been
applied in many hundreds of cases
It includes a countermeasures
library

CRAMM overview
Stage 1: Initiation and asset valuation
Model the IS; Valuate the assets;
Management review

Stage 2: Risk assessment

Identify threats; Assess threats and
vulnerabilities; Calculate risks; Management
review

Stage 3: Risk management

Select countermeasures; Prioritise
countermeasures and schedule
implementation; Obtain management
approval; Monitor

Octave

Operationally Critical Threat, Asset, and

Vulnerability Evaluation

What is OCTAVE?
A comprehensive, repeatable
methodology for identifying risks in
networked systems through
organizational self-assessment.
Helps organizations apply
information security risk
management to secure their existing
information infrastructure and to
protect their critical information
assets.

Goal of OCTAVE
Plan how to apply good security practices
to address organizational and technical
vulnerabilities that could impact critical
assets
Two versions: One for large organisations
(> 300 employees) and one for small
organisations
Organizational issues
Policies or security practices
Technical issues
Technology infrastructure

Information Security Risk

Management Framework

Mind the gap

Security Practices Gaps Result From an
Organizational Communication Gap

Octave is the bridge

OCTAVE is an Organizational Approach to
Security Risk Management

The process

OCTAVE Analysis Team

An interdisciplinary team (4-6)

consisting of
business or mission-related staff
information technology staff

Phase 1 Organizational
View
Data gathering of the organizational
perspectives on

assets
threats to the assets
security requirements of the assets
current protection strategy practices
organizational vulnerabilities

The perspectives will come from

senior managers
operational area managers (including IT)
staff (from the operational areas and IT)

Phase 1 Questions
What are your organizations critical
information-related assets?
What is important about each critical
asset?
Who or what threatens each critical asset?
What is your organization currently doing
to protect its critical assets?
What weaknesses in policy and practice
currently exist in your organization?

Asset
Something of value to the organization that
includes one or more of the following:

information
systems
services and applications
people

Critical when there will be a large adverse

impact to the organization if
the asset is disclosed to unauthorized people.
the asset is modified without authorization.
the asset is lost or destroyed.
access to the asset is interrupted.

Asset protection
requirements
Prioritize the qualities of an asset
that are important to the
organization:
confidentiality
integrity
availability

Example for availability: Internet

access should be provided 24x7x365,
97% of the time.

Threat
An indication of a potential
undesirable event involving a critical
asset
Examples
A disappointed student could set a fire.
A virus could interrupt access to the
university network.
An operator may set the firewall to deny
all access without noticing

Threat Properties
Critical Asset
Actor (human, system, other)
Motive (deliberate or accidental) human
actor only
Access (network or physical) human
actor only
Outcome
Disclosure or viewing of sensitive information
Modification of important or sensitive
information
Destruction or loss of important information,
hardware, or software
Interruption of access to important information,
software, applications, or services

Asset-based risk profile

Phase 2 Technology View

Identify technology vulnerabilities

that provide opportunities for
impacting critical assets

Methods / Tools
You can use a variety of methods and
tools:
Interviews with people
Documentation analysis
Network scanners
Log analysers
Vulnerability assessment tools
etc.

Phase 2 Questions
How do people access each critical
asset?
What infrastructure components are
related to each critical asset?
What technological weaknesses
expose your critical assets to
threats?

Phase 3 Risk Analysis

Establish the risks to the organizations
critical assets.
Define mitigation plans to protect the
critical assets.
Characterize the organizations
protection strategy.
Identify the next steps to take after the
evaluation to ensure progress is made.

Impact Evaluation Criteria

Define the organizations tolerance
for risk.
Standard areas of impact considered
include:
reputation/customer confidence
life/health of customers
productivity
fines/legal penalties
financial
other

Expression of Risk
A risk is expressed using
a threat scenario (a branch on a threat
tree)
the resulting impact on the organization

Example
Viruses can interrupt staff members
from accessing the network. They will
not prepare their lectures on time.
Impact value: medium

Threat scenario

accidental

disclosure
modification
loss/destruction
interruption

High
Low

deliberate

disclosure
modification
loss/destruction
interruption

Medium
High
High
Low

accidental

disclosure
modification
loss/destruction
interruption

deliberate

disclosure
modification
loss/destruction
interruption

inside

asset

network

outside

asset

access

actor

motive

outcome

Medium
High
High
Low

impact

Phase 3 Questions
What is the potential impact on your
organization due to each threat? What are
your organizations risks?
Which are the highest priority risks to your
organization?
What policies and practices does your
organization need to address?
What actions can your organization take to
mitigate its highest priority risks?
Which technological weaknesses need to
be addressed immediately?

Outputs of Octave

Protection
Strategy

Defines
organizational
direction

Mitigation
Plan

Plans
designed to
reduce risk

Action
List

Near-term
action items

Protection Strategy
Structured around the catalog of practices
and addresses the following areas:

Security Awareness and Training

Security Strategy
Security Management
Security Policies and Regulations
Collaborative Security Management
Contingency Planning/Disaster Recovery
Physical Security
Information Technology Security
Staff Security

Mitigation Plan
Defines the activities required to remove or
reduce unacceptable risk to a critical
asset.
Focus is on activities to
recognize or detect threats when they occur
resist or prevent threats from occurring
recover from threats if they occur

Mitigations that cross many critical assets

might be more cost effective as protection
strategies

OCTAVE-S
Defines a more structured method for
evaluating risks in small (less than 100
employees) or simple organizations
requires less security expertise in analysis
team
requires analysis team to have a full, or nearly
full, understanding of the organization and
what is important
uses fill-in-the-blank as opposed to essay
style

Will also be defined with procedures,

guidance, worksheets, information
catalogs, and training

OCTAVE Information
Visit http://www.cert.org/octave
Introduction to the OCTAVE Approach
OCTAVE Method Implementation Guide
OCTAVE-S (version 0.9)

Book: Managing Information Security

Risks: The OCTAVE Approach by
Christopher Alberts and Audrey
Dorofee from Addison-Wesley.