development and implementation of metrics for information security risk assessment
TRANSCRIPT
IIS 2006
Development and implementation of Development and implementation of metrics for information security risk metrics for information security risk
assessmentassessment
Mario Sajko
IIS 2006
Risk Assessment
An unavoidable method for information security improvement
Widely accepted as an instrument for information security managing and analysis
Way to determine the required investment into security
IIS 2006
Risk Metrics
A system of gathering, assessment, measuring and comparing data that indicate the way, results, condition and consequences of risk factors
A system of measured sizes transformation and presentation of risk value in a way suitable for reporting to management
A system which answers the question which information will be gathered, which statistics will be performed, how the information will be gathered and where and when it will be gathered
IIS 2006
Example of different risk assessment approaches
Metric Risk functionM.Krause [threat]×[vulnerability]× [assets value]
FMEA [S]×[O]×[D]
CRAMM [value]×[ threats]×[vulnerability]
RuSecure Vulnerability, value, influence, frequency and possibility to work,
FRAP [Vulnerability], [business Impact]
NIST Ranks matrix [Vulnerability], [threats]
ISO Assets threats, probability of threats appearance, assets vulnerability, existing protection ,
Octave [assets] ×[threat] ×[vulnerability]
COBRA Relative relationship
What-if Subjective assessment
ALE
IIS 2006
Actual risk assessment practice
Risk factors are combined and assessed in different ways
The consequence is different calculation of risk size By using different methods we can obtain different risk
values over the same group of assessment subject
What is put in doubt is cost determination and quality of assessment
IIS 2006
Why there are differences among risk assessment methods
Different is coordination of technological and organization components of a security system and their combining in the entire risk size
Different is combining of the existing information about the infosec features
Different is the way of transforming the inputs into risk assessment sizes and values
IIS 2006
The problem can be solved !
Combining different forms of metrics values into metrics system
Establishing the kind of transforming input data about security state into information about risk value
Coordinating risk function with security goal and information resource features
Establishing connections among individual metrics with different areas of IT infrastructure into an
integral system
IIS 2006
Infosec risk dimension
The proportion of a particular dimension in metrics system depends on the type of information assets as well as security goals of a company
Can not be resolved in advance
IIS 2006
Risk metrics features
Immeasurable sizes should be turned into measurable
Subjective indicators should be turned into objective
Horizontal measure connection
Vertical measure connection
Results should suggest some changes and improvements
IIS 2006
To turn immeasurable sizes into measurable The rule indicates the need that the risk
factors for observed assets have to be expressed in any way whatever it seems difficult or even impossible
What is recommended is the use of group assessment methods
IIS 2006
To turn subjective indicators into objective ones The rule indicates that risk indicators should
be made more exact and they should also be quantified
Subjectivity in assessment is specially highlighted in descriptive risk expression
What is recommended is transformation by numeric ranks (1-5; 1-10; and similar.), relative sizes (%) or absolute values (frequency, probability)
IIS 2006
Horizontal relationship between measures It determines the cumulating of assessment result on
the particular level Level Level Point Meaning
100% Very high 1 Incident realisation is very
achievable
75% High 2 Possibility for incident realisation is high
50% Medium 3 It is considered that there is possibility for realisation of security incident
25% Low 4 Incident realisation risk is very low
(0%) Lowest 5 There is very low possibility that incident will take place
Different expressed results for each level of assessment must be aligned and cumulated in order to determine amount of risk.
IIS 2006
Vertical relationship between levels of assessment Means that on each superior level, a metric system should
be able to coordinate risk information about subordinate level according to different type of assessment and using metrics type
IIS 2006
Results should suggest some changes and improvements The presented assessment results should indicate
the trend, changes in time period and be able to foresee the future condition.
The graphic design techniques that are recommended
The risk reports should not be too detailed It is recommended to express the assessment
results in quantitative terms.
(risk tolerant < AssessedRisk < risk critical - does not mean much)
IIS 2006
Security metrics system implementation
Stage of actual security program identification and critical inf. assets
Finding out the risk factors that will be assessed and can be established for targeted inf. assets
Assessment or assignment of similarity intensity (qualitative, descriptive, quantitative) to security features andRisk size presentation
IIS 2006
CONCLUSION
There exist risk size dependency on metric type and way of metrics utilization
Discovery and gathering of some particular information for metric are difficult because of the nature of inf. assets that are being assessed
It is still open question which risk metric assessment should be used in specific situations
There is still unsolved question of modeling and development of metrics system as well as the question of metric quality
The company has to determine suitable metrics system for its security program.
IIS 2006
The benefits of this work
Definition of 5 features or so-called "good metrics principles“ Some general suggestions for implementation program
Metric coordination with security program Determined responsibility for metric program Defined relationship among the measures (measuring
consistency with the object of measuring and use of the corresponding metric type)
Assessment of only important factors (assessment of less important risk factors not only “spoils” the assessment results but also turns our attention from more important information)
Metrics system development process in a few key stages