www.buslab.orgBrno – Center of Education and Inovation

Automation of Risk Analysis and Management

Dan Cvrcek, Marek Kumpost - BUSLab

Ludek Novak - ANECT

www.buslab.orgAutomation of Risk Analysis and Management

BUSLab – IT Security Laboratory

BUSLab (Brno University Security Laboratory)

● Informal security research group of Brno University of Technology and Masaryk University

● Concentrates people interested in IT security

● Research projects, conferences, industrial cooperation

● Leading persons: Dan Cvrcek, Vashek Matyas Cooperation with ANECT

● Strong company in the area of network infrastructures and risk management

● Certified by Czech NSA for classified information

● Experience with critical infrastructures

www.buslab.orgAutomation of Risk Analysis and Management

BUSLab Expertise

Privacy● Participate in the FIDIS project (Future of Identity in

Information Society)● Strong cooperation with KU Leuven, TU Dresden

Reputation Systems● Experience of participation in SECURE project● Currently running national research project

● Implementation of reputation system for WiFi networks Secure Cryptographic Devices

● Cooperation with Cambridge University, security of crypto-modules, smartcards, Chip&PIN cards

Key infrastructures● Design of schemes for key management in emerging areas

like sensor networks

www.buslab.orgAutomation of Risk Analysis and Management

Management of Security

Crucial problem of security is to pinpoint the important risks/threats

No-one ever did this for home computers used for Internet banking, personal communication, and recently voice communication

Number of different methodologies for large systems (CRAMM, CobiT, EBIOS, RA2 art of risk, …)● Hard to utilise, expensive, and time consuming● An audit may take several months● Not usable for everyday management, fast-changing

environments Unreachable for common users, SMEs, government

www.buslab.orgAutomation of Risk Analysis and Management

IfFloods Reevaluate communications,

transport, healthcare,… Coordinate emergency services,

supplies, … Later on – change infrastructures, …

Air-traffic suspension Delivery of goods, passengers,

strengthening other means of traffic Transport of perishable goods, drugs,

organs for transplantations Later on – security measures, obligations

for airlines, …

Multidisciplinary assessment, analysis, reaction, …

www.buslab.orgAutomation of Risk Analysis and Management

Risk Management Starting Points

EU business needs genuine risk management arrangement combining● Risk-correctness – appropriate accuracy of data about

system and applicable threats ● Control-effectiveness – measures are effective and fulfill

their goals and objectives● Cost-efficiency – economically reasonable● Time-dependency – risk management must react on

changes of system and its environment Methodologies for risk management are not stable yet

● ISO is rewriting its recommendations (General risk management principles, Information security risk management)

● EU – ENISA’s recommendations for risk management

www.buslab.orgAutomation of Risk Analysis and Management

Project Relevance and Needs

ENISA Risk Management Road Map ● 9 of 10 identified areas are directly relevant● Interoperability/compatibility of methods● Comparability/merging of methods● Measurements of risks● Unified information bases for risk management● Risk management and relevant security issues● Business Continuity Planning (BCP)● Emerging risks● Awareness, training, communication● Security measurement

● Methods inventory maintenance

www.buslab.orgAutomation of Risk Analysis and Management

Project Objectives and Focus

Develop risk management environment/tools able to:● Integrate risk management in different domains - operational,

environmental, information, …

● Integrate risk management in different levels of details● Timely, effective, and efficient reassessment of relevant

security aspects Hierarchical risk management

● Subordination of risk management engines● Coverage of risks by subordinate management engines● Data flows (downwards threats, upwards impact/risk)● Access control to sensitive data● XML based information exchange schemes

Pilot● Usability in different situation (home, SME, government)● Quick spreading of change data on risks

www.buslab.orgAutomation of Risk Analysis and Management

Added Value and Project Innovation

Nearly real-time tools helping to solve situation Tight risk management environment integrating different risk

domains● SME, Government, Large enterprises● Informatics: integration of differently focused methodologies● Critical infrastructure protection: telecommunications,

emergency, utilities, healthcare, banking, transportation, government, …

Tight risk management environment integrating different risk levels● Government: Region-Local, Country-Region, EU-Country● Large enterprises: Central office-Branches● Informatics: integration of individual systems

www.buslab.orgAutomation of Risk Analysis and Management

Thanks for your attention!

Questions, comments …

Useful linksBUSLab’s web page: http://www.buslab.orgANECT http://www.anect.czemails:

Dan Cvrcek cvrcek@fit.vutbr.czMarek Kumpost kumpost@fit.vutbr.czLudek Novak Ludek.Novak@anect.cz