Creation of a Risk Assessment Methodology - DiVA …411977/FULLTEXT01.pdf · Thales Security...
Transcript of Creation of a Risk Assessment Methodology - DiVA …411977/FULLTEXT01.pdf · Thales Security...
Creation of a RiskAssessment Methodology
N I C O L A S L E F E B V R E
Master of Science ThesisStockholm 2007
Nicolas LEFEBVRE
Master of Science ThesisSTOCKHOLM 2007
CREATION OF A RISK ASSESSMENT METHODOLOGY
PRESENTED AT
INDUSTRIAL ECOLOGY ROYAL INSTITUTE OF TECHNOLOGY
Supervisor & Examiner:
RONALD WENNERSTEN
Creation of a Risk Assessment Methodology
Final Degree Project KTH – Industrial Ecology
Company: Thales Security Systems Supervisor: Ronald WENNERSTEN
Student: Nicolas LEFEBVRE
April 28th 2007
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 2/57
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 3/57
Abstract This report is a presentation of the work realised during an internship at
the consultancy division of Thales Security Systems from September 2005 to June 2006. Thales Security Systems is part of Thales, an international group in defence, aeronautics, etc.
The work realised consisted in the creation of a new risk assessment methodology for a commercial offer called HELP, standing for Human, Environmental, Logical and Physical security. As a basis for the work, 5 existing risk assessment methodologies were studied, summed up and analysed:
• Integrated security risk assessment: a methodology created by Thales Security Systems but not used because of its complexity
• Ebios: a whole risk assessment methodology created by the French government
• Marion: more or less an audit questionnaire • Audit questionnaire ISO 17799: an audit questionnaire created
by Thales Security Systems • A confidential methodology: a methodology of another
company with interesting concepts So as to complete this first work, many interviews were realised with
specialists in risk assessment and strategy: • Counter-admiral Girard who insisted on the preliminary task of
the definition of the mission and its limits, the return of experience as well as on the security frame of mind
• Guy Dubois for the maintenance of the security level year after year
• Thomas Lebouc for the tools used to apply the methodology • Gérard Pesch regarding the commercial offer • Yves le Dauphin for the human issues
Afterwards, the different advantages and drawbacks of the studied methodologies have been studied so as to determine the essential characteristics that were necessary to have in the new methodology.
The new methodology has thus been created taking into account all these advantages, drawbacks and pieces of advice. The new methodology is a five step methodology:
• Definition of the mission and its limits: determination of the objectives of the mission and its perimeter
• General analysis of the system: study of the system in its environment
• Risk analysis: determination of the threats, assets and vulnerabilities
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 4/57
• Protection standards: determination of the protection measures to implement
• Budget, action plans and implementation So as to apply the methodology, several tools have been created. They
are necessary for the good running of the methodology as they help to show results in a clear way. These tools are for example, a risk analysis board, a vulnerability audit questionnaire, diagrams, or protection standard sheets.
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 5/57
Table of contents Abstract ........................................................................................................3 Table of contents.........................................................................................5 Introduction..................................................................................................8 Aims and objectives....................................................................................9 Methodology ..............................................................................................10 I_ Presentation of the company and its needs ...................................11
I_1. Thales – Organisation.........................................................11 I_2. Thales Security Systems ....................................................12 I_3. Consultancy division ...........................................................13
II_ Description: Presentation of several different methods and interviews 14
II_1. Methodologies ....................................................................14 II_1.1. Integrated Security Risk Management – Philippe Bouvier
14 II_1.1.1. Identification of targets to protect....................................15
II.1.1.1.a Define missions related to the system ................................. 15 II.1.1.1.b Identify targets in the system ............................................... 15 II.1.1.1.c Evaluate the security needs of each target .......................... 15
II_1.1.2. Identification of threats and vulnerabilities ......................15 II.1.1.2.a Identify threats...................................................................... 15 II.1.1.2.b Identify existing security measures and residual vulnerabilities
15 II_1.1.3. Focus on risks and protective solutions ..........................16
II.1.1.3.a Define the risk zone to be covered....................................... 16 II.1.1.3.b Propose a risk reduction plan............................................... 16
II_1.2. Ebios ............................................................................17 II_1.2.1. Study of the context and the environment ......................17 II_1.2.2. Evaluation of the security needs .....................................18 II_1.2.3. Study of the threats.........................................................18 II_1.2.4. Identification of the security objectives ...........................18 II_1.2.5. Determination of the security expectations .....................18
II_1.3. Marion ..........................................................................19 II_1.3.1. Principles of the methodology.........................................19 II_1.3.2. Running of the methodology ...........................................19
II.1.3.2.a Preparation........................................................................... 19 II.1.3.2.b Vulnerability audit ................................................................. 19 II.1.3.2.c Risk assessment .................................................................. 20 II.1.3.2.d Action plan............................................................................ 20
II_1.4. ISO 17799 – Questionnaire Audit .................................22 II_1.5. Confidential risk assessment methodology ..................23
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 6/57
II_2. Interviews............................................................................24 II_2.1. Interviews Counter-admiral Girard................................24 II_2.2. Interviews Guy Dubois..................................................24 II_2.3. Interviews Thomas Lebouc...........................................25 II_2.4. Interviews Gérard Pesch ..............................................25 II_2.5. Interviews Yves Le Dauphin .........................................25
II_3. Application on two sites ......................................................26 III_ Analysis: Comparison of the methodologies .............................27 IV_ Discussion: the new methodology ..............................................30
IV_1. Expectations of the company.............................................30 IV_2. The new methodology .......................................................30
IV_2.1. Introduction .................................................................30 IV_2.2. General Principals.......................................................30 IV_2.3. General Organisation ..................................................31 IV_2.4. Glossary......................................................................34
IV_2.4.1. Asset..............................................................................34 IV_2.4.2. Threat ............................................................................34 IV_2.4.3. Vulnerability ...................................................................34 IV_2.4.4. Risk................................................................................34
IV_2.5. Step 0: Definition of the mission and its limits .............35 IV_2.6. Step 1: General analysis of the system.......................35 IV_2.7. Step 2: Risk Analysis ..................................................37 IV_2.8. Step 3: Protection standards.......................................39 IV_2.9. Step 4: Budget, action plans and implementation .......41 IV_2.10. Advantages ...............................................................42
IV_2.10.1. Accidents and malevolent actions ...............................42 IV_2.10.2. Security return on investment......................................42 IV_2.10.3. Definition of the mission ..............................................42 IV_2.10.4. Several levels of application ........................................42 IV_2.10.5. Lots of references and return of experience................42 IV_2.10.6. Easy to use tools .........................................................43
V_ Application and practical tools ....................................................44 V_1. Security needs....................................................................44
V_1.1. Security needs .............................................................44 V_1.2. Criticity of assets scheme.............................................44
V_2. Vulnerability audit ...............................................................46 V_2.1. Questionnaire...............................................................46 V_2.2. Scheme........................................................................46
V_3. Vulnerability board ..............................................................48 V_4. Protection standard sheet...................................................49
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 7/57
V_5. Risk analysis board.............................................................50 V_5.1. Global threat.................................................................50 V_5.2. Attractiveness...............................................................50 V_5.3. Vulnerabilities...............................................................50 V_5.4. Vulnerability level .........................................................50 V_5.5. Impact ..........................................................................50 V_5.6. Real threat....................................................................50 V_5.7. Qualification of the risk.................................................51
V_6. Miscellaneous.....................................................................53 V_6.1. List of threats................................................................53 V_6.2. Risk Analysis questionnaire .........................................53
VI_ Further discussion ........................................................................54 Conclusion .................................................................................................56 Bibliography...............................................................................................57
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 8/57
Introduction Security and risk assessment are becoming more and more important
everyday. The globalization, the new means of communication, the rise of terrorism, etc. increase the threats and risks that companies have to struggle against. More than ever, risks are or at least should be in the centre of the strategy of every company. Risks are no longer only due to accidents and errors. Nowadays, new risks appear and are due to malevolent actions and to external and internal aggressors.
Before, enclosing an industrial site was sufficient so as to be enough protected but nowadays, aggressors are more and more intelligent and well equipped and thus, the way to protect should adapt to these new risks. Assessing the risk is therefore becoming frequent but also necessary. Lots of companies have created their own way to assess the risks and to deal with them. Unfortunately, these methods are often too simple and not adapted to the thriving rise of malevolent actions. Moreover, these methods are generally created by people who cannot explain their methods easily to new employees. The security frame of mind is not yet present in the companies.
Therefore, there is an obvious need for risk assessment methodologies. Companies have to know their specific risks so as to struggle against them and to implement security measures adapted to these specific risks.
So as to create a new risk assessment methodology, a study has been realised on the existing methodologies and on interviews of several specialists of the risk assessment sector. This study describes the running of several methodologies and emphasizes their different advantages and drawbacks. Compared to each other, it is obvious that none of them is the adequate methodology, the good one.
A new methodology gathering the advantages of the different existing methodologies would therefore constitute a real improvement regarding the risk assessments.
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 9/57
Aims and objectives The aim of the project was to create a new risk assessment
methodology linked with the spirit of the company and which could be applied on every risk assessment project, by young and non-experienced consultants that were not yet specialised of the risk assessment domain.
The different objectives of the project were to: o Determine the needs of the company o Gather information on several existing risk assessment
methodologies o Compare the different methodologies o Create a new methodology o Apply it on a specific practical case to develop practical tools o Improve the methodology and maintain it
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 10/57
Methodology The first task that had to be done during the internship was to
understand and determine how the consultancy division of the company was running, as well as its needs regarding a new methodology. The requirements of the company where I was working were the first element to understand so as to create a methodology adapted to their wishes.
Otherwise, the creation of a new methodology required a clear and well-defined methodology. So as to succeed in my mission, I decided to compare several different existing risk assessment methodologies already existing in the risk assessment business. The different sources of information used for this work were the internet, interviews, conferences, books and documents. The comparison of the existing methodologies was necessary to get sufficient knowledge on risk assessment and risks in general but also to be able to create the new methodology as it is actually based on the 5 different methodologies (and their main advantages and drawbacks) that were studied during the internship.
The first 5 months of the internship were completely theoretical, as they were used to study these existing risk assessment methodologies. The work was to study and understand their organisation and their main advantages and drawbacks. This work helped to know which characteristics the new methodology should have and which drawbacks should be avoided. The methodology was also developed thanks to many different interviews of specialists of risk assessment and of strategy during which my questions and problems were often answered to. These interviews helped to reach a better methodology more adapted to the expectations of the market.
So as to reach the best possible methodology, it was then tested on two different practical cases which will not be summed up in this present report for obvious reasons of confidentiality. Nonetheless, the improvements that were possible thanks to this test have been integrated into the methodology. The different tools necessary to use the methodology in a good way, which were developed thanks to the application tests, will be described in this report as well.
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 11/57
I_ Presentation of the company and its needs The internship has been realised in the consultancy division of Thales
Security Systems during a 10-month period from September 2005 until June 2006. Here is a little description of the company so as to better understand the work realised for the company. This small diagram is a simple representation of the situation of the consultancy division, in which the internship was realised.
I_1. Thales – Organisation Traditionally described as ”professional electronics”, the Thales group’s
businesses are primarily dedicated to critical information systems for defence, aerospace, transport and civil security applications. Thales provides its customers with all the key functions in the critical information loop, from detection and processing to transmission and distribution, and including command and control, decision-support and operational analysis.
In 2004, the Group reorganised itself into six divisions, each defined according to its respective markets. The new structure fosters closer relations with customers and leverages technical and technological commonalities to serve both military and civil markets more efficiently.
– The Aerospace division covers three major segments: equipment for civil and military aircraft, mission electronics for combat aircraft, and airborne surveillance & mission systems for armed forces and civil security authorities,
– The Air Systems division serves two main markets: air defence and missile systems for military customers, and civil air traffic management systems,
– The Land & Joint Systems division develops networkcentric systems and network-enabled equipment for land forces and joint and allied commands. It also draws on its dual technology capabilities to develop tailored offerings for selected civil customers,
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 12/57
– The Naval division focuses on four key areas of expertise: warship prime contracting, systems for surface ships, underwater systems and naval services, including maritime security,
–The Security division leverages the Group’s technology expertise to provide risk management solutions for civil, government and private-sector customers,
– The Services division capitalises on Thales’ experience in providing IT services, simulation-based training and other services to military and aerospace customers, with an extended offering tailored to major government, institutional and enterprise customers.
All six divisions draw on a common platform of technologies underpinning the complex systems and real-time information management that Thales customers require. Enhancing that platform of technologies on a permanent basis, up to 20,000 Thales engineers and technicians in all Group companies operate as a worldwide network to conduct focused research and development in partnership with the international scientific and academic research community. All divisions benefit directly from the Group's multidomestic presence, an exceptional asset that enables Thales to forge close ties with governments and local customers in each country of operation in order to meet national sovereignty requirements more effectively. Expanding this international presence remains a top strategic priority. (Thales annual report 2005, Overview page 3, 2005)
I_2. Thales Security Systems Thales Security Systems belongs to the security division of Thales,
whose goal is to bring the expertise of Thales in transverse security and innovation in security solutions so as to ensure an absolute security on every market, i.e. for companies but also for important events (Olympic Games, World Cup, etc.) and for governments (struggle against terrorism for example) (TSS, Site and public event security, 2007)
The different divisions of Thales Security Systems are the following ones: (TSS, Domaines, 2007)
o Security of sites and events o Operational Security Centres o NRBC (nuclear, radioactive, biologic and chemical) Security o Identity (security of passports, national identity cards, etc.) o Information systems Security o Consultancy division
Thales Security Systems creates, sells and gathers technological systems whose goal is to protect the critical infrastructures of its customers (companies, local communities, governmental organisms) from the whole World. These systems cover all the different aspects of global security thanks to its 6 different divisions.
Thales Security Systems proposes a broad number of services like consultancy work, architectural definition, integration of complex systems and
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 13/57
other solutions for the conception, the installation, the implementation and the maintenance of security systems. (TSS, Identité, 2007)
I_3. Consultancy division The consultancy division of Thales Security Systems is one of the
smallest divisions of the company. As a matter of fact, it is composed of 30 people, and has a total turnover of around 10 millions euros. It delivers two kinds of consultancy reports.
First, Thales Security Systems has implemented a transverse offer for the management of security risks, based on a long work with the managers of important companies. This offer can give to the chief executive officers a transverse vision of security risks, which helps to know where it is urgent and necessary to implement security solutions. This offer thus helps to favour the sustainable development of the companies. (TSS, Présentation conseil, 2007)
Then, the consultancy division also can bring technical solutions for the security of the information systems. So as to realise these missions, the consultancy division realises vulnerability audits or study the architectural structure of the information systems or even tries to enter the information systems so as to show evidence of its weaknesses. This work is made by so called ethical hackers. (TSS, Comprehensive information system security)
As nowadays, externalisation, delocalisation, globalisation, etc. are a reality, new laws, new regulations and new threats are appearing (sanitary risks, terrorism…). Then companies have to struggle against new kinds of risks, because of the increasing numbers of stakeholders they have to deal with for their development. Moreover, companies often cope with risks by activity and not on a transverse scale. Therefore, the consultancy division of Thales Security Systems created an offer covering all the needs of risk management, whatever they could be: human, environmental, logical or physical. This offer is called HELP standing for human, environment, logics and physics.
Logo for the HELP offer
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 14/57
II_ Description: Presentation of several different methods and interviews
During the internship, several different methods aiming at assessing risks have been studied. Moreover, lots of interviews have been realised for the creation of the methodology so as to understand the most important characteristics any risk assessment methodology should have. This part describes the general organisation and the specificities of the existing methodologies as well as a summary of the most important interviews.
II_1. Methodologies
II_1.1. Integrated Security Risk Management – Philippe Bouvier
The integrated security risk management is a white paper written by Philippe Bouvier of Thales Security Systems. It integrates a risk analysis part (chapter 2) which describes a risk assessment methodology. This methodology has 7 different phases gathered in 3 important steps, as shown in the following diagram:
Diagram of Philippe Bouvier’s methodology
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 15/57
II_1.1.1. Identification of targets to protect
II.1.1.1.a Define missions related to the system The goal of this step is to determine the aims and objectives of the
system studied and to understand its main missions.
II.1.1.1.b Identify targets in the system The targets of the system are the employees, the goods and everything
that participates to the objectives and missions of the company. Compromising one of these targets could be harmful for the system’s missions defined in the first step.
The value of the targets is important information to distinguish between critical assets. This value should be estimated and assigned. It depends on the cost to acquire the asset and maintain it as well as the loss it would cause if lost or destroyed. This value helps to calculate the cost of the assets and to appreciate better the security measures to be implemented in the future. (A highly valuable asset should be better protected than a cheap one)
The main result of this step is the identification of the critical targets and their value.
II.1.1.1.c Evaluate the security needs of each target So as to prevent the loss of a target, it is necessary to implement
security measures. Then, for every target from the list of targets that has just been identified, this step realises an evaluation of the security needs in confidentiality, availability and integrity for each target.
To know these security needs facilitates the choice of the security measures. The main result of this step is therefore a matrix giving the security needs in these 3 criteria for each target.
II_1.1.2. Identification of threats and vulnerabilities
II.1.1.2.a Identify threats The purpose of this step is to determine the list of threats that could be
harmful for the system and could compromise its missions (cf. step 1). These threats should be linked to the different objectives and missions that could be compromised.
For instance, an objective could be to assure confidentiality of internal telephone conversations while the threat would be the tapping of internal telephone calls. At the end of this step, the main result is a matrix giving the objectives linked to the selected threats.
II.1.1.2.b Identify existing security measures and residual vulnerabilities For each of the identified target, it is necessary to evaluate the actual
protection level in the eyes of the selected threats. It consists in an identification of the vulnerabilities of the system by considering the gap between the actual level of protection and the best practices. So as to identify them, it is interesting to:
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 16/57
o Gather the best practices of protection measures for the type of company concerned
o Gather the internal studies such as audit reports, vulnerability tests, etc.
o Use the work of experts, etc. Then, two matrices can be realised at the end of this step:
o A matrix giving the targets linked with their vulnerabilities o A matrix giving the threats related to vulnerabilities to alleviate
II_1.1.3. Focus on risks and protective solutions
II.1.1.3.a Define the risk zone to be covered This step is a synthesis of the risk analysis; it helps to estimate the
risk level to which the system is exposed. So as to estimate this level of risk, it is necessary to use some criteria. These ones are
o Gravity or impact: this criterion corresponds to the damage or impact level that a threat could cause to an asset, in case of the occurrence of the threat
o Probability, or the frequency of the threat As a synthesis, a matrix giving the gravity and the probability linked to
the threats is realised. Then, taking into account each risk probability and impact, the organization gets a better understanding of which risks are the most critical and thus which one should be reduced. Therefore, at the end of this part, some risks are going to be selected so as to be reduced by protection means, and others are going to be accepted because they have a low risk level, i.e. a low impact and a low probability.
II.1.1.3.b Propose a risk reduction plan For all the risks selected, protection measures must be taken. They are
gathered in the risk reduction plan. According to this plan, risks can be: o Transferred, usually to an insurance company o Rejected, the risk is just ignored o Reduced by implementing security measures o Accepted, the management understands the situation and
decides to live with it. The risk reduction plan is the final document realised by this
methodology. It also integrates a matrix giving the threats linked to the measures that should be implemented to reduce the risks.
Source: Bouvier, 2004
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 17/57
II_1.2. Ebios EBIOS stands for expression of needs and identification of security
objectives. EBIOS is used to identify the risks to which an information system is confronted to and to propose a security policy adapted to the security needs of the company. It has been created by the DCSSI (general direction of information system security) of the French Defence Ministry.
The EBIOS methodology is accompanied by a freeware which helps to simplify the application of the methodology and to create automatically synthesis documents. It is a 5-step methodology:
Diagram of EBIOS methodology
II_1.2.1. Study of the context and the environment The study of the context helps to identify which information system is
the centre of the study. This step defines the limits of the study: the presentation of the company, the architecture of the information system, the technical and legal constraints, and the commercial stakes.
Otherwise, an information system is based on critical elements, functions and organisms, which constitute hugely valuable entities for the
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 18/57
company. This step consequently defines as well the critical equipments, and the human, technical and organisational means of the company.
II_1.2.2. Evaluation of the security needs The evaluation of the security needs helps to estimate the risks and to
define the risk criteria. The users of the information system define during this step the security needs of the different targets according to the impacts that they judge unacceptable.
The security needs express themselves depending on criteria like the availability, the integrity and the confidentiality.
II_1.2.3. Study of the threats The study of the threats helps to identify the risks depending on the
technical architecture of the information system. Then, the list of vulnerabilities is established depending on the equipment, the architecture and the software but not on the origins of the threat and their causes.
This step consequently consists of a selection and/or identification of the threats and vulnerabilities of the company and its information system.
II_1.2.4. Identification of the security objectives The identification of the security objectives confronts and links the
security needs and the selected threats so as to emphasize the risks against which the information system should be protected. As a matter of fact, there is no need to protect what is not threatened. The protection measures will then be adapted to the system studied.
This step will help to identify security objectives which will be the main part of the security specifications and recommendations. As a matter of fact, the purpose of the security objectives is to alleviate the vulnerabilities that create the different risks.
II_1.2.5. Determination of the security expectations The determination of the security expectations determines the limits of
the protection measures. It is obvious that a company cannot annihilate every risk. Some of them will have to be accepted so as to have cheaper protection measures.
This is one of the most important tasks of a risk manager: determine whether a risk has to be accepted, covered or reduced. The answer to this strategic question is given depending on the cost of the risk impacts and its probability to occur.
EBIOS gives consequently a methodology that helps to build a security policy realised according to a risk assessment based on the environment of the company and its vulnerabilities.
Sources: Developpez.com - EBIOS, 2005 ; DCSSI, 2004
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 19/57
II_1.3. Marion II_1.3.1. Principles of the methodology Marion is a risk assessment methodology oriented towards the
information systems. It has been developed by the CLUSIF (French club of information security) but has been abandoned in 1998 for another methodology called MEHARI. It is a security audit methodology, which gives a quantitative evaluation of the logical risks of a company in different domains of security. Marion is based on the evaluation of the organisational and technical aspects of security.
II_1.3.2. Running of the methodology The methodology is based on audit questionnaires dealing with
precise domains. The questionnaires should help to evaluate the vulnerabilities of the company in these specific domains of security. There are based on hundreds of questions with different weights.
The methodology utilizes 27 indicators classified in 6 different themes. Each of them gets a mark from 0 (not secure at all) to 4 (excellent). The themes are the following:
o Organisation of the security o Physical security o Business continuity o Logical organisation o Logical security o Software security
Marion is a 4-step methodology as described below.
II.1.3.2.a Preparation The first step is called the preparation step. It defines the different security objectives to be reached as well as the limits of the study, i.e. what is going to be studied by the methodology. This step will help to better implement the methodology as soon as limits are defined.
II.1.3.2.b Vulnerability audit The vulnerability audit is the step where vulnerability questionnaires are
answered to. These answers will help to identify the different risks regarding the security of the information system. At the end of the audit, a diagram is built representing the marks given for each indicator and emphasizing the most important risks.
Here is an example of the Marion diagram:
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 20/57
Example of a MARION vulnerability diagram
This diagram represents in a circle the value and the marks for each indicator. It is a way to show the vulnerabilities and the vulnerable points of the information system, underlining those who should be protected.
Another diagram is built at the end of this step. It represents the gap between each mark and the target value (3) for each indicator. This target value is 3 out of 4. This gap is weighted according to the importance of the indicator depending on the system studied. It is then possible to see the most important vulnerabilities of the information system.
II.1.3.2.c Risk assessment The risk assessment helps to prioritize the different risks according to
their importance and their being critical (major risks and simple risks). The information system is then cut into different entities for a more
detailed analysis. These entities will actually be classified according to the threats, their impacts and their probability. 17 kinds of threats are defined by this methodology but are not going to be described here. As an example a physical accident or a logical attack of the net can be quoted.
II.1.3.2.d Action plan The action plan is the last step of the methodology. The action plan
proposes several solutions to implement so as to improve the marks of the indicators up to the target level (3 out of 4). The costs to reach these target levels are evaluated as well as the tasks necessary to realise so as to reach them.
To conclude, this methodology is quite simple to implement and it is really adequate so as to compare different companies or sites that are audited.
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 21/57
Example of a MARION gap diagram Sources: Developpez.com - Marion, 2005; Teamlog, 2003
Gap diagram
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 22/57
II_1.4. ISO 17799 – Questionnaire Audit Thales has created a questionnaire audit based on the ISO 17799, and
called ISO full. It is actually a questionnaire which takes into consideration all the recommendations of the ISO 17799 so as to create questions related to these recommendations. These questions are gathered in the same categories as in the ISO 17799. As a matter of fact, the questions are classified in these following categories:
o Security policy o Security organisation o Classification and control of sensitive valuables o Security of the employees o Physical and environmental security o Management of the communication o Access control o Development and maintenance of the information system o Management of the business continuity o Conformity
As soon as the questions are answered to, a diagram is created and automatically generated like in the Marion method. The diagram shows the actual vulnerabilities level and a target level which is determined by interviews with the company studied according to their basic security needs. This is not a methodology but it is a practical tool that is useful when an audit is required without any risk analysis or study of the system in its environment. It is a hugely useful tool when running after time.
Sources: TSS, ISO full, 2006; AFNOR, 2005
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 23/57
II_1.5. Confidential risk assessment methodology Another risk assessment methodology has been studied during the
internship. Unfortunately, this one is strictly confidential and cannot be described in this report. Nonetheless, some interesting information can be emphasized. This methodology defines the concept of attractiveness of a target. This means that some targets are more interesting than other targets. For example, regarding terrorism, it is far more interesting for the aggressor to attack an explosive target in the middle of an overcrowded city rather than a farm for example because it has not the same image and the same impact on people’s feelings. This concept is really essential when dealing with malevolent actions.
Moreover, this risk assessment methodology was calculating a return on investment regarding security measures but this one was not really clear and easy to manipulate. Nonetheless, it is one of the first methodologies mentioning the possibility to compute a return on investment which is a really good idea especially for this domain (security) which needs a lot of money.
Unfortunately, this methodology was only dealing with malevolent actions and was thus not wide enough.
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 24/57
II_2. Interviews
II_2.1. Interviews Counter-admiral Girard The counter-admiral Georges Girard has been met several times during
the creation of the methodology. He is the editor of a specialised strategy and security review called the “Défense Nationale et Sécurité Civile” review. He has been elaborating war strategies for France before becoming editor.
According to him, the most important thing to do when you receive a mission from someone is to reformulate it and to redefine it so as to be sure to have well understood the mission and that everybody agree on the mission. Moreover, before starting a mission, Admiral Girard thinks that it is necessary to determine its limits and its perimeter and that everyone agrees on them.
It is also necessary to have general principles when applying a risk assessment methodology. These general principles are the following:
o Security is a frame of mind: people who work in risk assessment should always be thinking about it. This frame of mind is one of the most important things to teach to the customers of a risk assessment. They should learn to think about security and never to neglect any small detail, like for example to log off your computer when you leave, or to shut and lock the desk door when leaving. When you have the security frame of mind, then a big part of the job is already realised.
o The return of experience is necessary and essential: experience is of course an advantage especially for people working as consultants.
(Interviews Counter-Admiral Girard, 2005-2006)
II_2.2. Interviews Guy Dubois Guy Dubois was the supervisor of this internship. He gave his
contribution to create the methodology thanks to his experience in risk assessment and security. The methodology reflects a lot of his ideas, and of his years of experience as a consultant in risk management. He is one of the most important contributors to the success of this methodology.
According to him, an essential point in a risk assessment methodology is to have an iterative process. This appears in the methodology and is called the maintenance of the security level. According to that, the methodology should be applied year after year because threats, companies, vulnerabilities, etc. are evolving. Moreover, it helps to have a continuous improvement of the security level within a company.
(Interviews Guy Dubois, 2005-2006)
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 25/57
II_2.3. Interviews Thomas Lebouc Thomas Lebouc was another supervisor for this internship. He helped
me regarding the implementation of the methodology thanks to his commercial experience and its frequent relations with customers. The methodology tools reflect a lot of his ideas.
According to him, an essential point in a risk assessment methodology is to be clear and to have specific and easy-to-use tools. Questionnaires and diagrams are necessary so as to convince a customer and to show results quickly and clearly. Moreover, a methodology is good only if a lot of people can use it easily, that is why it is better to have clear schemes and diagrams rather than too many explanation pages. The methodology has to be as simple as possible
(Interviews Thomas Lebouc, 2005-2006)
II_2.4. Interviews Gérard Pesch Gérard Pesch is the manager of the consultancy division of Thales
Security Systems. He is one of the managers who bear the HELP offer in Thales Security Systems. He has a lot of commercial meetings and wanted this methodology to become a new commercial opportunity.
According to him, it is really important that the methodology integrates the HELP offer in its tools and principles so as to correspond to the commercial offers of the company.
(Interviews Gérard Pesch, 2005-2006)
II_2.5. Interviews Yves Le Dauphin Yves le Dauphin is one of the associates of Cesar Consulting, a
consultancy company in human resources. This company has a partnership with Thales Security Systems for the human part of the HELP security offer.
According to him and to his consultancy company (Cesar Consulting, 2005) the organisation of the security is essential for the security of a company. As a matter of fact, people should know what they are responsible for, what they should do in case of an accident, and in their everyday work. There should be procedures and check-lists of actions to do if an incident occurs. An organisation chart is necessary so as to know which employee is responsible for the good work and the maintenance of the protection means, etc.
The security actions and procedures should be put in the working tasks that every employee has to do. Moreover, accidents are often due to a bad organisation, an inadequate behaviour or a bad knowledge of the security procedures and routines. Human errors are really often the source of the most important catastrophes (Chernobyl for example). Therefore, the security formation and training is an interesting way to decrease the number of errors and accidents.
(Interviews Yves le Dauphin, 2005-2006)
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 26/57
II_3. Application on two sites The methodology has been applied on two specific sites in France for
the French company Suez. It was applied on a water production site and also on a heat production site. During these missions, a lot of professionals of security and risk management have been met. Their experience and their knowledge have been gathered in the methodology and its application tools.
Moreover, these two missions gave information on these two specific domains, i.e. water and heat production and their specific threats and risks, like water pollution for instance. This helped to update some of the tools. The methodology should improve itself at each mission.
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 27/57
III_ Analysis: Comparison of the methodologies So as to create the new methodology, an analysis board was
established. This board emphasizes and compares the 5 studied methodologies. It deals with their advantages and drawbacks. The conclusion of this board is resumed in its last column, so called the “new methodology” column. Actually, this column shows the way the different drawbacks are decreased or annihilated and which advantages should be included in the new methodology.
Met
hodo
logy
/ In
terv
iew
sA
dvan
tage
sD
raw
back
sN
ew m
etho
dolo
gyH
ow it
sho
uld
be!
Bou
vier
-Goo
d de
finiti
ons
of th
e di
ffere
nt c
once
pts
in ri
sk a
sses
smen
t: ris
k, th
reat
and
vu
lner
abili
ity-E
asy
calc
ulat
ion
to e
valu
ate
a ris
k:
prob
abili
ty *
gra
vity
-Des
crip
tion
of th
e se
curit
y ne
eds
-Impo
rtant
list
s of
thre
ats,
vul
nera
bilit
ies
and
targ
ets
-Org
anis
atio
nal s
ecur
ity ta
ken
into
acc
ount
-Mai
nly
adap
ted
to th
e se
curit
y of
info
rmat
ion
syst
ems
-No
easy
-to-u
se to
ols
for t
he a
pplic
atio
n of
th
e m
etho
dolo
gy-T
he d
iagr
ams
prop
osed
by
the
met
hodo
logy
to
pre
sent
the
resu
lts a
re n
ot c
lear
-No
targ
et le
vel o
f pro
tect
ion
-Not
eas
y to
com
pute
the
dim
inut
ion
of th
e ris
ks w
hen
impl
emen
ting
a pr
otec
tion
mea
sure
-Met
hodo
logy
real
ly d
iffic
ult t
o im
plem
ent b
y an
othe
r con
sulta
nt
-Ada
pted
to a
ll ki
nd o
f sys
tem
and
co
mpa
ny-L
inke
d to
use
ful a
nd e
asy-
to-u
se t
ools
-Dia
gram
s sh
owin
g cl
early
the
resu
lts-E
xist
ence
of a
targ
et le
vel
-Tak
e th
e lis
t of t
hrea
ts, v
ulne
rabi
litie
s an
d ta
rget
s-S
ame
defin
ition
s of
risk
, thr
eat a
nd
vuln
erab
ilty
EB
IOS
-A to
ol c
an e
ngen
der d
irect
ly ri
sk
asse
ssm
ent r
epor
ts w
hen
the
tool
is w
ell
fille
d in
-Des
crip
tion
of th
e se
curit
y ne
eds
-Org
anis
atio
nnal
sec
urity
take
n in
to
acco
unt
-Mai
nly
adap
ted
to th
e se
curit
y of
info
rmat
ion
syst
ems
-The
sof
twar
e to
ol is
real
ly d
iffic
ult t
o us
e-T
he m
etho
dolo
gy is
not
so
clea
r whe
n go
ing
mor
e in
det
ail
-No
quan
tific
atio
n of
the
leve
l of t
he ri
sks,
th
reat
s an
d vu
lner
abiil
ities
-No
poss
ible
upd
ate
-Ada
pted
to a
ll ki
nd o
f sys
tem
and
co
mpa
ny-C
lear
and
eas
y-to
-use
tool
s-Q
uant
ifica
tion
and
calc
ulat
ions
as
muc
h as
pos
sibl
e-P
ossi
ble
upda
te
MA
RIO
N
-Pre
cise
que
stio
nnai
re a
udit
-Dia
gram
s sh
owin
g di
rect
ly th
e im
porta
nt
resu
lts-Q
uant
ifica
tion
of a
targ
et le
vel o
f pr
otec
tion
-Old
met
hod
with
man
y pr
evio
us u
pdat
es-A
dequ
ate
to c
ompa
re d
iffer
ent s
ites
-Org
anis
atio
nnal
sec
urity
take
n in
to
acco
unt
-Mai
nly
adap
ted
to th
e se
curit
y of
info
rmat
ion
syst
ems
-Not
a w
hole
risk
ass
essm
ent m
etho
dolo
gy,
mor
e or
ient
ed to
war
ds a
que
stio
nnai
re a
udit
-No
poss
ible
upd
ate
-Ada
pted
to a
ll ki
nd o
f sys
tem
and
co
mpa
ny-T
ake
the
ques
tionn
aire
aud
it an
d th
e di
agra
m s
how
ing
the
impo
rtant
resu
lts-T
arge
t lev
el o
f sec
urity
-Pos
sibl
e to
com
pare
diff
eren
t site
s
A
dvan
tage
s, D
raw
back
s of
the
met
hodo
logi
es s
tudi
ed –
Cha
ract
eris
tics
of th
e ne
w m
etho
dolo
gy
Fina
l Deg
ree
Pro
ject
2007
-04-
12
Nic
olas
Lef
ebvr
e C
reat
ion
of a
Ris
k A
sses
smen
t Met
hodo
logy
P
age
29/5
7
Met
hodo
logy
/ In
terv
iew
sAd
vant
ages
Dra
wba
cks
New
met
hodo
logy
How
it s
houl
d be
!
ISO
177
99
Que
stio
nnai
re
audi
t
-Que
stio
nnai
re m
ade
from
an
inte
rnat
iona
l st
anda
rd-T
he q
uest
ionn
aire
is d
ivid
ed in
cat
egor
ies
that
cov
er th
e 4
cate
gorie
s of
the
HEL
P of
fer
-Dia
gram
s sh
owin
g di
rect
ly th
e im
porta
nt
resu
lts-Q
uant
ifica
tion
of a
targ
et le
vel o
f pr
otec
tion
-Mai
nly
adap
ted
to th
e se
curit
y of
info
rmat
ion
syst
ems
-The
que
stio
ns a
re n
ot c
lear
at a
ll, to
o lo
ng,
and
diffi
cult
to a
nsw
er-N
ot a
who
le ri
sk a
sses
smen
t met
hodo
logy
, on
ly a
que
stio
nnai
re a
udit
-Ada
pted
to a
ll ki
nd o
f sys
tem
and
co
mpa
ny-C
lear
and
eas
y-to
-use
tool
s-T
ake
the
ques
tionn
aire
aud
it an
d th
e di
agra
m s
how
ing
the
impo
rtant
resu
lts-T
arge
t lev
el o
f sec
urity
-Cov
er th
e 4
cate
gorie
s of
HEL
P
Con
fiden
tial
met
hodo
logy
-Def
initi
on o
f attr
activ
enes
s-D
efin
ition
of a
sec
urity
retu
rn o
n in
vest
men
t-E
xist
ence
of a
list
pro
tect
ion
stan
dard
s
-Mai
nly
orie
nted
tow
ards
mal
evol
ent a
ctio
ns-T
ools
onl
y ap
plic
able
on
the
site
s of
the
com
pany
whi
ch c
reat
ed th
e m
etho
dolo
gy-T
he re
turn
on
inve
stm
ent i
s di
fficu
lt to
co
mpu
te fo
r a s
peci
fic ri
sk o
r a s
peci
fic
prot
ectio
n m
easu
re-A
bsen
ce o
f a d
efin
ition
of t
he m
issi
on a
nd it
s lim
its
-Attr
activ
enes
s, R
etur
n on
inve
stm
ent
-Ada
pted
to a
ll ki
nd o
f sys
tem
and
co
mpa
ny-D
efin
e th
e m
issi
on a
nd it
s lim
its
Adv
anta
ges,
Dra
wba
cks
of th
e m
etho
dolo
gies
stu
died
– C
hara
cter
istic
s of
the
new
met
hodo
logy
(2)
IV_ Discussion: the new methodology IV_1. Expectations of the company
As described in the previous parts, there are several different methodologies that exist in the risk assessment domain. As a matter of fact, lots of companies have created their own methodology to assess risks. The advantages and drawbacks of several of them have already been described.
According to a lot of consultants, these methodologies are not clear enough, not complete enough, not linked with the customers’ activities or too complicated so as to be used efficiently. There is consequently an obvious need for a methodology which could be applied more easily by people who do not have the time to read hundreds of pages of methodology and that could be used for every type of security risks.
The consultancy division of Thales Security Systems was therefore expecting a methodology which could be used by all its consultants with specific designed tools adapted to their issues and easy to manipulate. The need for a methodology adapted to every kind of risks was strong so as to correspond to the offer so called HELP, described previously.
The methodology created would then become a new strong commercial offer for the company thanks to the combination of the main advantages of the different existing methodologies.
IV_2. The new methodology
IV_2.1. Introduction The methodology as described in the following paragraphs is composed of
these 4 important steps: o The general analysis of the system o The risk assessment o Protection standards o Budget, action plans and implementation of security
These four steps are preceded by the definition of the mission and its limits, named step 0 as it comes as a prelude to the methodology.
IV_2.2. General Principals In parallel to these four steps, the methodology defines general principles
which can be applied to all these steps and which emphasize the Security frame of spirit necessary for a good result. This part shows that security is not only words; people have to think about it and to live with it and not against it.Finally, it is worth noting that the methodology can be applied on several levels:
o Strategic level o Operational level in a business unit o Site level o And even on a project level or on a process
Final Degree Project
2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 31/57
IV_2.3. General Organisation Here is a scheme of the general organisation of the new methodology for risk
assessment created thanks to the study of the previous existing methodologies.
Fina
l Deg
ree
Pro
ject
2007
-04-
12
Nic
olas
Lef
ebvr
e C
reat
ion
of a
Ris
k A
sses
smen
t Met
hodo
logy
P
age
32/5
7
Ta
sks
Met
hod
Del
iver
ies
Def
initi
on o
f the
m
issi
on a
nd it
s lim
its
-Def
initi
on o
f the
mis
sion
-D
efin
ition
of t
he p
erim
eter
and
the
limits
of t
he
mis
sion
-D
efin
ition
of t
he g
oals
to re
ach
-Inte
rvie
ws
mee
ting
and
laun
chin
g m
eetin
g
-Des
crip
tion
of th
e m
issi
on
-Per
imet
er a
nd g
oals
of t
he m
issi
on
-Pre
sent
atio
n of
the
com
pany
-R
epor
t of t
he in
terv
iew
s -P
rese
ntat
ion
of th
e bu
sine
ss c
ase
-Sum
mar
y of
the
diffe
rent
task
s to
be
done
and
pro
ject
ed p
lann
ing
Step
1:
Gen
eral
Ana
lysi
s of
th
e Sy
stem
-Stu
dy th
e sy
stem
and
its
envi
ronm
ent
-Des
crib
e th
e en
viro
nmen
t of t
he s
yste
m
-Ana
lyse
the
orga
nisa
tiona
l, te
chni
cal a
nd h
uman
m
eans
-D
efin
e th
e se
curit
y ne
eds
in C
IA (c
onfid
entia
lity,
in
tegr
ity, a
vaila
bilit
y)
-Que
stio
nnai
res
-Inte
rvie
ws
-Bus
ines
s im
pact
ass
essm
ent
met
hods
-E
tc.
-Rep
ort o
f the
inte
rvie
ws
-Des
crip
tion
of th
e en
viro
nmen
t -A
rchi
tect
ure
of th
e sy
stem
-D
escr
iptio
n of
eac
h ac
tivity
-G
ener
al o
rgan
isat
ion
of th
e co
mpa
ny
-Qua
ntifi
catio
n of
the
need
s of
sec
urity
Step
2:
Ris
k an
alys
is
-Lis
t the
spe
cific
thre
ats
-D
eter
min
e th
e pr
obab
ility
and
the
attra
ctiv
ity o
f th
e th
reat
s -S
elec
t the
crit
ical
ass
ets
-C
lass
ify th
ese
asse
ts in
zon
es o
f col
or
-Det
erm
ine
the
vuln
erab
ilitie
s of
the
criti
cal a
sset
s -M
ap th
e ris
k
-Que
stio
nnai
res
-Inte
rvie
ws
-Ana
lysi
s of
the
syst
em
-Ret
urn
of e
xper
ienc
e of
oth
er
cons
ulta
nts
-Lis
ts o
f thr
eats
-L
ists
of v
ulne
rabi
litie
s -C
alcu
latio
ns
-Lis
t of t
he s
elec
ted
thre
ats
and
thei
r pr
obab
ility
-Lis
t and
zon
ing
of th
e se
lect
ed c
ritic
al
asse
ts
-Lis
t of t
he s
elec
ted
vuln
erab
ilitie
s
-Cor
rela
tion
thre
at –
ass
et -
vuln
erab
ility
-Zon
ing
-Map
of r
isks
Sum
mar
y of
the
diffe
rent
task
s, m
etho
d an
d de
liver
ies
of e
ach
step
Fina
l Deg
ree
Pro
ject
2007
-04-
12
Nic
olas
Lef
ebvr
e C
reat
ion
of a
Ris
k A
sses
smen
t Met
hodo
logy
P
age
33/5
7
Ta
sks
Met
hod
Del
iver
ies
Step
3:
Prot
ectio
n st
anda
rds
-Lis
t the
bes
t pra
ctic
es a
nd th
e ap
plic
able
law
s of
th
e ki
nd o
f com
pany
-Id
entif
y th
e pr
otec
tion
stan
dard
s by
thre
at
-Def
initi
on o
f the
exi
stin
g pr
otec
tion
leve
ls a
nd o
f th
e ne
cess
ary
prot
ectio
n le
vels
by
zone
s an
d th
reat
s -C
alcu
latio
n of
the
vuln
erab
ility
leve
ls a
nd o
f the
re
al th
reat
-Stu
dy o
f the
mar
ket
-Sta
te o
f the
art
in p
rote
ctio
n m
easu
res
-R
etur
n of
exp
erie
nce
of o
ther
co
nsul
tant
s -In
terv
iew
s -C
alcu
latio
ns
-Etc
.
- Pro
tect
ion
stan
dard
s - L
evel
s of
pro
tect
ion,
leve
l of
vuln
erab
ility,
leve
l of r
eal t
hrea
t, et
c.
Step
4:
Bud
get
Act
ion
plan
s Se
curit
y im
plem
enta
tion
-Def
ine
the
cost
of t
he ri
sks
-Det
erm
ine
the
initi
al le
vel o
f ris
ks
-Tak
e co
rrect
ing
mea
sure
s -D
efin
e th
e co
rrec
ted
leve
l of r
isks
-D
eter
min
e th
e re
turn
on
inve
stm
ent
-Cal
cula
tions
-R
etur
n of
exp
erie
nce
-Insu
ranc
e ca
lcul
atio
ns
-Etc
.
-Ris
k le
vel
-Lis
t of c
orre
ctin
g m
easu
res
-Cor
rect
ed le
vel o
f ris
ks
-Sec
urity
retu
rn o
n in
vest
men
t
Sum
mar
y of
the
diffe
rent
task
s, m
etho
d an
d de
liver
ies
of e
ach
step
IV_2.4. Glossary Here are some of the different notions that have to be clarified before the
explanation of the methodology. Some other words specific to this methodology lie in the report but they are defined when they appear for the first time.
This methodology has the same definitions as the methodology called “Integrated security risk management”, as they seem to be clear and adapted to the new methodology’s concepts. (Bouvier, 2004)
IV_2.4.1. Asset An asset is a person, a logical or physical target or a valuable interest
IV_2.4.2. Threat Occurrence of an action or event that could compromise a target
IV_2.4.3. Vulnerability Weakness of a target or of its environment that could be exploited by a threat
agent
IV_2.4.4. Risk A risk is the probability that a threat agent can exploit the vulnerability of an
asset. This is an unpredictable event which hinders the achievement of an objective. A risk is therefore a combination of these first three key-words. If one of them is missing, then there is no risk. As a matter of fact, if there is no asset, then there is no risk!
The following diagram underlines the links between these three parameters and the definition of a risk.
Final Degree Project 2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 35/57
IV_2.5. Step 0: Definition of the mission and its limits The first step is essential for the methodology. It corresponds to the definition
of the problem and of the mission to realise. As a matter of fact, this step consists of a reformulation of the mission given by a customer and the results (objectives) that should be obtained. This step will also help to determine the perimeter of the study, i.e. its limits. Everything outside this perimeter will not be taken into account for the risk assessment. Obviously, a small mistake in this step could have tremendous consequences on the risk analysis. This shows how important this step is.
Otherwise, this step helps to determine the length of the mission, its wideness, and gives an idea of the deliveries wanted by the customer.
IV_2.6. Step 1: General analysis of the system
Step 1: General Analysis of the System
The first step of the analysis consists of a study of the whole company in its environment. This will help to present the whole company studied and the way it works. This step is necessary so as to be able to determine the architecture of the system, i.e. the different organisational, technical and human means necessary for the company and its processes. Their description will be realised thanks to organizational charts, to schemes and diagrams showing for example the several processes, the different flows or the production chains. The organisation of the security is an essential point to deal with in this step so as to know who is responsible for what and who has the power to implement security measures.
Final Degree Project 2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 36/57
The real task is actually to understand how the company works and which activities and which processes are really critical and important regarding its sustainability if an accident or a threat would happen.
The environment of the company must be described as precisely as possible. Actually, a great amount of important and pertinent information regarding the implementation of the methodology comes from the description of the environment (geographical environment, political environment, period of the study, etc.)
Afterwards, the needs of security of the studied processes will be defined and classified. A need of security is linked to an asset or to a process. They represent the limits an asset or a process can bear without compromising the sake of the company, i.e. how critical the different assets are.
These security needs will be needs in: o Confidentiality: information about a target that should not be disclosed
except to those with authorized access o Integrity: a target must not be modified or destroyed o Availability: access to a target must be guaranteed to authorized
personnel when required Actually, these security needs are linked to the different assets of the studied
company. This will help to understand the company so as to know what is really critical for the sustainability of the company. This is the first step of the analysis. The previous steps were only a description of the company and its activities.
Final Degree Project 2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 37/57
IV_2.7. Step 2: Risk Analysis
Step 2: Risk Analysis
For the risk analysis, two kinds of threats are going to be studied. On the one hand, can be studied the accidental threats, i.e. errors, accidents, etc. and on the other hand, the voluntary threats, so called malevolent actions.
At the beginning of this step is a map of the threats which is a simple list of threats and categories of threats that are classical (ex: fire, flood, etc.). Of course, some threats can be specific for one company and then the list has to be updated. A certain amount of threats is chosen both by the consultant and the company. All the threats that are going to be taken into account in the study have to be selected during this step. The other threats will never be studied in this specific case.
Regarding accidents and errors, the purpose is to determine the probability of occurrence of each threat or each kind of threat. This is a quantitative data that is here linked to the threat. This probability can be calculated or estimated as insurance companies do.
Then, malevolent threats will also be linked to a quantitative data, called the global threat. So as to determine these quantitative data, several parameters must be taken into account:
o Geographical localisation o Geopolitical events (terrorism, religious or civil wars, etc.) o News o The type of company studied, etc.
Final Degree Project 2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 38/57
The data can be computed or more often evaluated thanks to the return of experience of security professionals or thanks to common sense sometimes.
The last important task in the determination of these data is the notion of attractiveness, when dealing with malevolent actions. The attractiveness represents actually how interesting an asset is for an aggressor point of view. The combination of the attractiveness and the global threat leads to the quantitative data called the on-site threat, which is computed automatically.
Afterwards, it is possible to reach a list of threats both accidental and malevolent. These threats are now all linked to a quantitative data. It is worthy to note that some threats can be both malevolent and accidental (a fire for example) and have therefore two different data. Then the final data will be the most important one so as to have an optimal protection.
Threats determination
Then, the critical assets will have to be defined and selected (according to the study in the first step). These assets will be classified in a zoning describing the most critical areas of the studied company. If an asset is not threatened by any threat, then it won’t be taken into account. The protection will thus be oriented towards the selected threats and towards the critical assets that have to be saved whatever happens.
The vulnerabilities of these assets will then be determined thanks to interviews (with an audit questionnaire) and visits. This part will help to have a transverse vision of the weaknesses of the company and its assets, and then to improve their protection.
Then, a risk map and a risk analysis board will be established by the combination of the information obtained during this step, the most important of the methodology, in terms of time and energy.
Final Degree Project 2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 39/57
IV_2.8. Step 3: Protection standards
Step 3: Protection Standards
After having determined the different laws and constraints in accordance with the regulations, the best practices, and the state of the art in security for the studied domains and activities, protection standards can then be determined. These protection standards are here protection equipments or a new organisation or even recommendations like the training of the employees that should be implemented so as to reduce the level of risks. They will be classified into the HELP scheme with human, environmental, logical and physical protection means and presented in protection standards sheets.
Thanks to that, it will be possible to determine the actual level of protection of the assets by an immediate comparison with the defined standards.
The difference between the actual level of protection and the requested level of protection defines the level of existing vulnerabilities. If an asset is as protected as defined by the protection standards, then the level of existing vulnerabilities is 0. This is therefore a relative notion. As a matter of fact, it is like considering that the risk is equal to 0, i.e. that there is no risk. But, this is just a means used to determine when the level of protection is judged sufficient but the risk is never equal to 0 in reality as the following diagram shows. Residual vulnerabilities and risks have to be accepted.
This step is really connected to the previous one as the different calculations of for example the real threat are done in a risk analysis board gathering both the information from step 2 and step 3.
Final Degree Project 2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 40/57
Level of vulnerabilities
So as to treat and alleviate these vulnerabilities, it is necessary to establish a budget corresponding to an action plan established in accordance with the company.
The combination between the vulnerability and the probability of the threat represents the probability that a succeeding (from the point of view of the aggressor) action happens. The real threat is then the probability of the threat when taking into account the existing level of protection. This leads to a quantitative data considering the asset, the threat and the vulnerability of the asset, i.e. the three components of a risk.
Final Degree Project 2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 41/57
IV_2.9. Step 4: Budget, action plans and implementation
Step 4: Actions plans and security implementation
The cost of the risk is the estimated value of the assets, i.e. the money necessary to come back to the previous situation when an incident has occurred (taking into account costs of acquisition, the stop in the activity in case of destruction, etc.) Its combination with the real threat gives the level of risks which actually represents the potential losses.
So as to decrease the risk, correcting measures (generally aimed to reach the protection standards) will be taken. These measures will decrease or even annihilate the vulnerabilities. A new corrected level of risks will thus be calculated.
The money necessary to improve the protection of the assets will be determined. Then, it is possible to compute the investment efficiency, also called the return on investment, by the ratio between the risk reduction and the investment costs.
This part has never been applied for a question of time, and therefore it is obvious that some small details could change. The way of computing the return on investment seems good in theory but it is really difficult to know the investment costs for a specific risk as often protection standards protect against several risks.
Final Degree Project 2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 42/57
IV_2.10. Advantages IV_2.10.1. Accidents and malevolent actions This is one of the important advantages of this methodology to consider both
accidents and malevolent acts. As a matter of fact, the return of experience Thales Security Systems and the study of several existing risk assessment methodologies give this methodology a great amount of references and already studied threats and vulnerabilities.
Every kind of risks is then covered by only one methodology. It also integrates the 4 components of the HELP offer of Thales. Lots of the studied methodologies actually only considers the logical security problems or only the accidents.
IV_2.10.2. Security return on investment The calculation of the return on investment is often missing in the security
domain. Chief executive officers need these data so as to determine whereas it is important to invest on security or not. The lack of data often leads to a lack of money in this domain, where it is hard to get investment as this is only a source of expense and not a source of income like production.
The calculation of return on investment is often missing in lots of risk assessment methodologies. Unfortunately, it has not been tested on the two missions of practical applications and it appears to be still a little bit complex for calculations.
IV_2.10.3. Definition of the mission The definition of the mission is absolutely necessary when dealing with a
customer. This is actually a way to protect the consultant as the conclusions of this part build the limits of the study, and the preliminary planning. It is also a good way to check that both the customer and the consultant have the same idea of what are going to be the main conclusions of the report. This methodology is helpful to know which risks a company would be sensitive to and to give recommendations to get protected but then the protection standards have to be implemented and the methodology would not be helpful at all for that.
This definition of the mission is a reformulation of the mission and of its limits and are essential for the good course of the mission.
IV_2.10.4. Several levels of application This methodology has the great advantage to be a general one. It could even
be used for a war strategy according to the Counter-Admiral Georges Girard. It could of course also be used for the strategic decisions of a company as every type of decision is a risk assessment especially in a company. The technical and operational levels are also relevant application levels.
IV_2.10.5. Lots of references and return of experience As several methodologies have been studied for the creation of this
methodology, the different questionnaires, vulnerability and threat lists, and other information have been gathered in the documents and tools of this methodology. Moreover, a lot of Thales missions have been studied. The return of experience is a huge source of information for consultancy companies.
Final Degree Project 2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 43/57
IV_2.10.6. Easy to use tools So as to apply the methodology, tools have been created. The whole
methodology is structured with application tools, like questionnaires, boards, standard protection sheets and the creation of diagrams nearly automatically as soon as questionnaires are filled in. Therefore, consultants just have to focus on the information they get from the customers.
Some of these tools are described in the next part.
Final Degree Project 2007-04-12
Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 44/57
V_ Application and practical tools The methodology that has just been described was applied on two different
sites so as to improve it and to create practical tools to apply it. For obvious reasons of confidentiality, the results of these risk assessments will not be shown here. Nonetheless, the practical tools that have been created so as to apply the methodology are described here.
V_1. Security needs
V_1.1. Security needs Thanks to interviews with the studied company, the security needs of each
activity can be described. These security needs are described in confidentiality, availability and integrity.
o Needs of confidentiality: it is represented on a scale telling which people are authorizes to see and consult an asset without having critical consequences for the sake of the company
o Needs of availability: it is represented on a scale telling how long an asset could be out of service without having critical consequences for the sake of the company
o Needs of integrity: it is represented on a scale telling how much an asset could be damaged without having critical consequences for the sake of the company
They give information on the criticity of the assets and processes that are studied. They are evaluated thanks to a scale determined with the company. It goes from a small to a critical or vital need of security. The vital criterion stands for the assets and processes that would jeopardize the future of the whole company.
V_1.2. Criticity of assets scheme Here is an example of the scheme that can be obtained. The final criticity level
is actually an average need of security evaluated thanks to the three different security needs. If an asset has huge needs of security, then it is critical.
It shows clearly and quickly which process and which asset are the most critical for the company’s sake. It gives a clear overview of the things that have to be protected against every potential threat.
Asse
ts a
nd im
pact
s
0
0,51
1,52
2,53
3,54
Asse
t or p
roce
ss 1
Asse
t or p
roce
ss 2
Asse
t or p
roce
ss 3
Asse
t or p
roce
ss 4
Asse
t or p
roce
ss 5
Asse
t or p
roce
ss 6
Asse
t or p
roce
ss 7
Asse
t or p
roce
ss 8
Asse
t or p
roce
ss 9
Asse
t or p
roce
ss 1
0
Asse
t or p
roce
ss 1
1
Asse
t or p
roce
ss 1
2
Asse
t or p
roce
ss 1
3
Asse
t or p
roce
ss 1
4
Asse
t or p
roce
ss 1
5
criti
cal
impo
rtant
crit
icity
med
ium
crit
icity
smal
l crti
city
V_2. Vulnerability audit
V_2.1. Questionnaire An important questionnaire gathering several hundreds of questions has
been created and implemented thanks to the return of experience of Thales but also thanks to the classical vulnerabilities that were found in the different methodologies studied.
When filling this questionnaire, it is possible to obtain a scheme representing the actual level of security but also the target levels (objectives), i.e. the purpose in terms of security.
The questionnaire gathers questions in several categories. The first categories are the one of the HELP offer: human, environmental, logical and physical.
Then, these first categories are divided into new ones more specific to the company.
Here is an example of a question and its calculations.
Question Remarks Percentage Coefficient (1-4)
Vulnerability level Objectives
Ex: Is the site totally enclosed?
Holes in the enclosure 50 % 4 2 4
The first two columns are quite easy to understand. The different questions are really small and easy to understand. Then, the column named percentage is actually the level of this answer from No (value 0%) to Yes (value 100%). The fact that there are some small holes in the enclosure here makes the answer be 50% and not 100%.
Then, the coefficient is linked to the importance of the question. Here, it has the maximum value because the enclosure is really important to deter thieves and malevolent people to enter the company’s site. The vulnerability level is then the combination of the coefficient and the percentage. This calculation is performed by the tool itself. The coefficients are already put in the tool. Finally, the objectives column represents the value that should be reached by the company. Here, of course, the site should be well enclosed and thus the value is 4!
The value of the objectives column should be determined with the company thanks to the return of experience of security risk manager but also thanks to common sense (in the example taken here for instance)
All the questions are gathered in different categories and there are average values that are computed in the tool so as to give the following scheme.
V_2.2. Scheme Here is an example of a possible scheme obtained thanks to the vulnerability
audit questionnaire.
Vuln
erab
ilitie
s
012345678P
- AC
CES
S C
ON
TRO
L
P - G
UAR
DS
P - V
ISIT
OR
S AN
D D
ELIV
ERIE
S C
ON
TRO
L
P - S
ECU
RIT
Y O
F TH
E SI
TE
E - P
OLL
UTI
ON
E - I
ND
UST
RIA
L SE
CU
RIT
YH
- C
RIS
IS M
ANAG
EMEN
T
H -
ACC
IDEN
TS M
ANAG
EMEN
T
H -
OR
GAN
ISAT
ION
H -
HU
MAN
SEC
UR
ITY
L - L
OG
ICAL
SEC
UR
ITY
V_3. Vulnerability board Here is an example of the organisation of a vulnerability board. This board
gathers the most important categories of vulnerabilities. As a matter of fact, the vulnerability audit and the risk analysis board have permitted to determine and gather all the vulnerabilities of the company and its assets.
Then, the vulnerabilities are classified and gathered in different categories so as to simplify the improvements. Many vulnerabilities can actually be resolved by only one measure, for example, when there is a problem of security organisation. These categories are given a priority linked to the qualification of the risk: a vulnerability causing a critical risk will be an important vulnerability.
The board helps to see quickly what are the most important vulnerabilities that have to be resolved as soon as possible.
HELP CATEGORY OF VULNERABILITY VULNERABILITIES PRIORITY
Roles and responsibilities * Important
Accidents management * Important
Human resources * Small
H - Human vulnerabilities
--
Security Organisation
Resilience, crisis management * Medium
Pollution – 1 * Important
Pollution – 2 * Medium E -
Environmental vulnerabilities
Back-up * Medium
L - Logical vulnerabilities Passwords * Important
Enclosures * Small
Building 1 security * Medium
Building 2 security * Important
All buildings security * Important
P - Physical vulnerabilities
Guards * Medium
V_4. Protection standard sheet Here is an example of the protection standards that are given at the end of
the study. The difference between the actual level of protection and the requested level of protection defines the level of existing vulnerabilities which are necessary for the calculation of the real threat and the qualification of the risk.
Category of vulnerability: Resilence
Crisis management
Lack of check-lists and procedures
Report : The management of a crisis and business continuity in the company are not
enough formalized. There is an obvious lack of procedures which could make employees know what to do in case of a crisis.
Moreover, the broadcasting of information will not be done in an efficient way if a crisis would happen. As a matter of fact, employees would not know what is the most important information necessary to take good and quick decisions.
Otherwise, the list of phone numbers is never updated and lots of the numbers are no longer working
Finally, it would be necessary to have check-lists of the first actions to do in case of a crisis for each kind of employees.
Identified risks : Here are the identified risks for the company
o Lack of reaction in case of a crisis o More impacts and worse consequences o Lack of information on what is happening
Recommendations Our recommendations are the following:
o Write and broadcast check-lists gathering the information about the actions to take in case of a crisis
o Create a list of the essential phone numbers. Update this list every month
o Create worksheets regarding the broadcasting of information in case of a crisis
This protection standard sheet is realised for each category of vulnerabilities from the vulnerability board.
V_5. Risk analysis board As a risk is a combination of an asset, a vulnerability and a threat, I have
created a board, called risk analysis board, so as to gather all the risks that the company should deal with. It also shows the results of step 2 and step 3. The way the board has to be filled in is described here.
V_5.1. Global threat There is a quantitative data, called global threat linked to each threat. This
global threat corresponds to the probability of the threat. Its value goes from 1 (the threat practically never occurs) to 4 (the event is very likely to happen). These data are evaluated thanks to interviews and put in the column Global Threat, in the risk analysis board.
V_5.2. Attractiveness This attractiveness represents how interesting an asset is for an aggressor
point of view. This notion is only applicable with malevolent actions of course as accidents do not choose to happen.
The attractiveness is linked to the nature of the asset. The attractiveness depends both on a threat and on an asset. It does not depend on the protection measures that already exist to protect the site.
The attractiveness value goes from 1 to 4, just like the global threat. It is determined thanks to interviews, common sense but also by the return of experience of consultants.
V_5.3. Vulnerabilities The vulnerabilities of the asset are its weaknesses. These weaknesses are
physical, organisational, human, environmental and logical ones. They come from the vulnerability audit and also from the observations made during visits in the company.
This board gathers all the vulnerabilities of a company and links them to specific assets and threats so as to determine and emphasize the potential risks.
V_5.4. Vulnerability level The vulnerability level is evaluated by comparison to the protection
standards.
V_5.5. Impact The impact is the first criterion for the determination of the risk level. It is
determined by a combination between the criticity of an asset (its security needs) and the level of the threat and its potential consequences. For example, a fire has a huge impact as it can destroy everything, even the infrastructure. The value of the impact goes from 1 to 4 again.
V_5.6. Real threat The real threat is a combination of the global threat, the attractiveness,
and of the existing and actual protection level of the asset regarding a specific
threat. This combination gives a value of the real threat which is one of the criteria necessary to qualify the risk. Its value goes from 1 to 4.
V_5.7. Qualification of the risk The qualification of the risk is given thanks to the following scale:
Scale for Impact Scale for the real threat
1 2 3 4
1 Weak Weak Weak Medium 2 Weak Medium Medium Medium 3 Medium Important Important Important 4 Important Critical Critical Critical
This qualification of the risk reinforces the notion of impact. As a matter of fact, as soon as the impact is important, then the risk must not be underestimated. This is why a risk with an impact of 4 is at least an important risk. This qualification of the risk helps to classify and prioritize the different risks and therefore to give priorities for the different recommendations that are going to be given at the end of the study.
The example of the risk analysis board is presented on the next page.
Vu
lner
abili
ty
leve
l Im
pact
R
eal t
hrea
t
Ris
k
AS
SE
T
Thr
eat
Glo
bal
Thr
eat
Attr
activ
enes
s Vu
lner
abili
ties
Impa
ct
Va
lue
Valu
e Va
lue
Q
ualif
icat
ion
Thre
ats
Vuln
erab
ility
1
Vuln
erab
ility
2
Vuln
erab
ility
3
Vuln
erab
ility
4
Vuln
erab
ility
5
Vuln
erab
ility
6
Vuln
erab
ility
7
Vuln
erab
ility
8
Res
ervo
ir of
co
al
Volu
ntar
y fir
e 2
4
Vuln
erab
ility
9
Expl
osio
n an
d fir
e an
d de
stru
ctio
n of
oth
er
infra
stru
ctur
es
2 4
2
Crit
ical
Exam
ple
of a
n as
set s
tudi
ed in
the
risk
anal
ysis
boa
rd
V_6. Miscellaneous
V_6.1. List of threats A list of threats has been established thanks to all the methodologies that have
been studied. This list is a basis necessary to work with the company and to select the different threats that are going to be taken into account in the study.
V_6.2. Risk Analysis questionnaire A small questionnaire has been built for this important part of the work. This
questionnaire gathers the most important questions that have to be asked to the company so as to determine their most important threats and vulnerabilities. The employees are often conscious of their weaknesses and it can be a good way to understand and imagine the potential risks the company should take into consideration.
VI_ Further discussion There are some important points that should be added for the better analysis
of the report. The methodology that has been created is completely based on the existing risk assessment methodologies. Taking the best characteristics of each methodology and of each interview and gathering these characteristics in the new methodology was the purpose of this project. Some characteristics are not present in the new methodology but nonetheless, the final methodology gathers the following advantages that appeared in the existing methodologies:
o The definition of a risk (threat + target + vulnerability) from the Bouvier’s methodology
o The definition of security needs from Bouvier and EBIOS o The vulnerability audit questionnaire with clear diagrams and a
target level of protection from MARION and ISO 17799 o The definition of the concept of attractiveness and the concept of
security return on investment from the confidential methodology o The importance of the security frame of mind and of the return of
experience as general principles from the interviews with the counter admiral Girard
o Security as an iterative process as suggested by Guy Dubois o The clear and simple application tools as suggested by Thomas
Lebouc o The organisational part of security from the interviews with Yves le
Dauphin This methodology is thus a gathering of many points of view. The main
difficulty was therefore that there were too many different points of view that were to be taken into consideration. It was thus impossible to include all of them in the new methodology. It is thus not a perfect methodology as there are some elements that were positive in other methodologies and that could not be implemented here for coherence and practical reasons. For example, the fact that reports are automatically generated with the EBIOS methodology could not be implemented in the new methodology. Moreover, some drawbacks are still present such as the difficulty to compute the security return on investment. Moreover, as the methodology has only been applied twice on two different sites that were highly similar, it is thus still a really young methodology. The running of the methodology as well as the application tools that have been created are thus going to change and evolve in a continuous improvement development.
Another difficulty was my lack of experience for the running of this project which made me lose a lot of time at the beginning of the internship as I had to learn everything concerning risks, vulnerabilities, threats, targets and so on. I had a lot of difficulties to create this methodology in a theoretical way and the application on two industrial sites really helped me to understand things and concepts in a better way and to create a more relevant methodology applicable on a practical case study. Some of the application tools may surely be more oriented towards a specific kind of missions, for example risk assessment on industrial sites. This is surely a problem
but these application tools can be easily improved and updated just by adding information for other missions.
The sources of information were quite reliable in general and did not cause a lot of problems. Many different people were involved and only the main interviews have been described here. As a matter of fact, all the consultants of the consultancy division of Thales Security Systems have been more or less interviewed in a formal or informal way. This methodology reflects the point of view of the whole consultancy division.
The application work that has been realised could have been done with other existing risk assessment methodologies so as to compare with other ways of assessing the risk. Perhaps, it would have been better to have other kinds of risk assessment methodologies for example methodologies of industrial companies, but these companies want to keep their methodologies as secret as possible and I was not able to have access to these methodologies.
Confidentiality was another annoying part of this report and of the whole internship as it deterred me from exposing some details and results in this report but also from getting information when I was doing my internship. This is a really secret domain and that is why my study was mainly based on public risk assessment methodologies like EBIOS and Marion. This is surely one of the main drawbacks of the work that has been realised during this internship.
Conclusion Thales is a huge company dealing with security. This company wanted to
create a new methodology linked to its commercial offer called HELP. The internship realised during 10 months had this methodology as a purpose. So as to fulfil this purpose, several methodologies have been studied and a lot of interviews have been realised. Moreover, a draft methodology has been applied practically on two different sites of the company Suez so as to create application tools. The goal has thus been reached. A methodology has been created related to the different wishes of the company. As a matter of fact, the new methodology seems to gather a great part of the different advantages of the studied methodologies as well as advises from the specialists interviewed.
Nonetheless, this new methodology is far from the perfection. There are a lot of potential improvements. For example, it would be important to test the methodology again and again so as to confirm that it is applicable on every type of sites, and also to update it and improve it. Otherwise, the last step of the methodology has not been tested because of a lack of time. It is thus not known yet whether the calculation of the return on investment is efficient or not. Moreover, this part is not reliable yet because no application tools have been implemented and the calculation of the costs of the risks seems really difficult to realise as too many parameters should be taken into account. This budget part of the methodology is thus a huge drawback but it is essential to emphasize that this notion of security return on investment is quite new as well as the costs of a risk concept.
One point that is important to underline also is that the methodology is still not known by companies and it is hard to find customers for the application of a quite new methodology. Therefore, it cannot be sold at a high price nowadays and it thus cannot be applied by experienced consultants. Therefore, the methodology has to get known so as to be applied more and to become an important commercial argument for Thales.
Nonetheless, this methodology is a first step in a commercial offer which promises to be powerful as soon as it is ready. A long time is necessary between the creation of a methodology and the first official contract but it is surely worth waiting for a while.
Bibliography o AFNOR, ISO/CEI 17799:2005, June 2005 o Bouvier P., Integrated Security Risk Management ; Part 2 : The Risk
Analysis, December 2004. o Bouvier P., Thales Security Systems, interviews, 2005-2006 o Cesar Consulting, Le Dauphin Y., Anticiper et gérer le risque social,
November 2005 o DCSSI, Expression des Besoins et Identification des Objectifs de
Sécurité Mémento, 2004, http://www.ssi.gouv.fr/fr/confiance/documents/methodes/ebiosv2-memento-2004-02-04.pdf [January 2007]
o Developpez.com, Normes de sécurité : les méthodes d’analyse de risques, EBIOS, 2005, http://cyberzoide.developpez.com/securite/methodes-analyse-risques/ [January 2007]
o Developpez.com, Normes de sécurité : les méthodes d’analyse de risques, MARION, 2005, http://cyberzoide.developpez.com/securite/methodes-analyse-risques/ [January 2007]
o Dubois G, Thales Security Systems, interviews, 2005-2006 o Girard G., Counter-Admiral, editor of the review “Défense national et
sécurité civile” interviews, 2005-2006 o Le Dauphin Y., Cesar Consulting, interviews, 2005 o Lebouc T., Thales Security Systems, interviews, 2005-2006 o Pesch G.., Thales Security Systems, interviews, 2005-2006 o Teamlog, La méthode Marion, 2003,
http://www.securite.teamlog.com/publication/4/5/164/ [January 2007] o Thales, Annual report 2005, Overview page 3,
http://www.thalesgroup.com/all/pdf/Thales_uk_2005.pdf [January 2007] o TSS - Thales Security Systems, Comprehensive information system
security, http://www.thales-security.com/download/pdf/brochures/Brochure%20IT%20security%20VA.pdf [January 2007]
o TSS - Thales Security Systems, Domaines, http://www.thales-security.com/index_fr.php [January 2007]
o TSS - Thales Security Systems, Identité, http://www.thales-security.com/fr/a_propos/identite.php [January 2007]
o TSS - Thales Security Systems, Présentation conseil, http://www.thales-security.com/fr/domaines/conseil/presentation.php [January 2007]
o TSS - Thales Security Systems, Site and Public event Security, http://www.thales-security.com/download/pdf/brochures/Site%20and%20event%20English.pdf [January 2007]
o TSS, ISO full, 2005