Creation of a Risk Assessment Methodology - DiVA …411977/FULLTEXT01.pdf · Thales Security...

Creation of a RiskAssessment Methodology

N I C O L A S L E F E B V R E

Master of Science ThesisStockholm 2007

Nicolas LEFEBVRE

Master of Science ThesisSTOCKHOLM 2007

CREATION OF A RISK ASSESSMENT METHODOLOGY

PRESENTED AT

INDUSTRIAL ECOLOGY ROYAL INSTITUTE OF TECHNOLOGY

Supervisor & Examiner:

RONALD WENNERSTEN

TRITA-IM 2007:13 ISSN 1402-7615 Industrial Ecology, Royal Institute of Technology www.ima.kth.se

Creation of a Risk Assessment Methodology

Final Degree Project KTH – Industrial Ecology

Company: Thales Security Systems Supervisor: Ronald WENNERSTEN

Student: Nicolas LEFEBVRE

April 28th 2007

Final Degree Project

2007-04-12

Nicolas Lefebvre Creation of a Risk Assessment Methodology Page 2/57


2007-04-12


Abstract This report is a presentation of the work realised during an internship at

the consultancy division of Thales Security Systems from September 2005 to June 2006. Thales Security Systems is part of Thales, an international group in defence, aeronautics, etc.

The work realised consisted in the creation of a new risk assessment methodology for a commercial offer called HELP, standing for Human, Environmental, Logical and Physical security. As a basis for the work, 5 existing risk assessment methodologies were studied, summed up and analysed:

• Integrated security risk assessment: a methodology created by Thales Security Systems but not used because of its complexity

• Ebios: a whole risk assessment methodology created by the French government

• Marion: more or less an audit questionnaire • Audit questionnaire ISO 17799: an audit questionnaire created

by Thales Security Systems • A confidential methodology: a methodology of another

company with interesting concepts So as to complete this first work, many interviews were realised with

specialists in risk assessment and strategy: • Counter-admiral Girard who insisted on the preliminary task of

the definition of the mission and its limits, the return of experience as well as on the security frame of mind

• Guy Dubois for the maintenance of the security level year after year

• Thomas Lebouc for the tools used to apply the methodology • Gérard Pesch regarding the commercial offer • Yves le Dauphin for the human issues

Afterwards, the different advantages and drawbacks of the studied methodologies have been studied so as to determine the essential characteristics that were necessary to have in the new methodology.

The new methodology has thus been created taking into account all these advantages, drawbacks and pieces of advice. The new methodology is a five step methodology:

• Definition of the mission and its limits: determination of the objectives of the mission and its perimeter

• General analysis of the system: study of the system in its environment

• Risk analysis: determination of the threats, assets and vulnerabilities


2007-04-12


• Protection standards: determination of the protection measures to implement

• Budget, action plans and implementation So as to apply the methodology, several tools have been created. They

are necessary for the good running of the methodology as they help to show results in a clear way. These tools are for example, a risk analysis board, a vulnerability audit questionnaire, diagrams, or protection standard sheets.


2007-04-12


Table of contents Abstract ........................................................................................................3 Table of contents.........................................................................................5 Introduction..................................................................................................8 Aims and objectives....................................................................................9 Methodology ..............................................................................................10 I_ Presentation of the company and its needs ...................................11

I_1. Thales – Organisation.........................................................11 I_2. Thales Security Systems ....................................................12 I_3. Consultancy division ...........................................................13

II_ Description: Presentation of several different methods and interviews 14

II_1. Methodologies ....................................................................14 II_1.1. Integrated Security Risk Management – Philippe Bouvier

14 II_1.1.1. Identification of targets to protect....................................15

II.1.1.1.a Define missions related to the system ................................. 15 II.1.1.1.b Identify targets in the system ............................................... 15 II.1.1.1.c Evaluate the security needs of each target .......................... 15

II_1.1.2. Identification of threats and vulnerabilities ......................15 II.1.1.2.a Identify threats...................................................................... 15 II.1.1.2.b Identify existing security measures and residual vulnerabilities

15 II_1.1.3. Focus on risks and protective solutions ..........................16

II.1.1.3.a Define the risk zone to be covered....................................... 16 II.1.1.3.b Propose a risk reduction plan............................................... 16

II_1.2. Ebios ............................................................................17 II_1.2.1. Study of the context and the environment ......................17 II_1.2.2. Evaluation of the security needs .....................................18 II_1.2.3. Study of the threats.........................................................18 II_1.2.4. Identification of the security objectives ...........................18 II_1.2.5. Determination of the security expectations .....................18

II_1.3. Marion ..........................................................................19 II_1.3.1. Principles of the methodology.........................................19 II_1.3.2. Running of the methodology ...........................................19

II.1.3.2.a Preparation........................................................................... 19 II.1.3.2.b Vulnerability audit ................................................................. 19 II.1.3.2.c Risk assessment .................................................................. 20 II.1.3.2.d Action plan............................................................................ 20

II_1.4. ISO 17799 – Questionnaire Audit .................................22 II_1.5. Confidential risk assessment methodology ..................23


2007-04-12


II_2. Interviews............................................................................24 II_2.1. Interviews Counter-admiral Girard................................24 II_2.2. Interviews Guy Dubois..................................................24 II_2.3. Interviews Thomas Lebouc...........................................25 II_2.4. Interviews Gérard Pesch ..............................................25 II_2.5. Interviews Yves Le Dauphin .........................................25

II_3. Application on two sites ......................................................26 III_ Analysis: Comparison of the methodologies .............................27 IV_ Discussion: the new methodology ..............................................30

IV_1. Expectations of the company.............................................30 IV_2. The new methodology .......................................................30

IV_2.1. Introduction .................................................................30 IV_2.2. General Principals.......................................................30 IV_2.3. General Organisation ..................................................31 IV_2.4. Glossary......................................................................34

IV_2.4.1. Asset..............................................................................34 IV_2.4.2. Threat ............................................................................34 IV_2.4.3. Vulnerability ...................................................................34 IV_2.4.4. Risk................................................................................34

IV_2.5. Step 0: Definition of the mission and its limits .............35 IV_2.6. Step 1: General analysis of the system.......................35 IV_2.7. Step 2: Risk Analysis ..................................................37 IV_2.8. Step 3: Protection standards.......................................39 IV_2.9. Step 4: Budget, action plans and implementation .......41 IV_2.10. Advantages ...............................................................42

IV_2.10.1. Accidents and malevolent actions ...............................42 IV_2.10.2. Security return on investment......................................42 IV_2.10.3. Definition of the mission ..............................................42 IV_2.10.4. Several levels of application ........................................42 IV_2.10.5. Lots of references and return of experience................42 IV_2.10.6. Easy to use tools .........................................................43

V_ Application and practical tools ....................................................44 V_1. Security needs....................................................................44

V_1.1. Security needs .............................................................44 V_1.2. Criticity of assets scheme.............................................44

V_2. Vulnerability audit ...............................................................46 V_2.1. Questionnaire...............................................................46 V_2.2. Scheme........................................................................46

V_3. Vulnerability board ..............................................................48 V_4. Protection standard sheet...................................................49


2007-04-12


V_5. Risk analysis board.............................................................50 V_5.1. Global threat.................................................................50 V_5.2. Attractiveness...............................................................50 V_5.3. Vulnerabilities...............................................................50 V_5.4. Vulnerability level .........................................................50 V_5.5. Impact ..........................................................................50 V_5.6. Real threat....................................................................50 V_5.7. Qualification of the risk.................................................51

V_6. Miscellaneous.....................................................................53 V_6.1. List of threats................................................................53 V_6.2. Risk Analysis questionnaire .........................................53

VI_ Further discussion ........................................................................54 Conclusion .................................................................................................56 Bibliography...............................................................................................57


2007-04-12


Introduction Security and risk assessment are becoming more and more important

everyday. The globalization, the new means of communication, the rise of terrorism, etc. increase the threats and risks that companies have to struggle against. More than ever, risks are or at least should be in the centre of the strategy of every company. Risks are no longer only due to accidents and errors. Nowadays, new risks appear and are due to malevolent actions and to external and internal aggressors.

Before, enclosing an industrial site was sufficient so as to be enough protected but nowadays, aggressors are more and more intelligent and well equipped and thus, the way to protect should adapt to these new risks. Assessing the risk is therefore becoming frequent but also necessary. Lots of companies have created their own way to assess the risks and to deal with them. Unfortunately, these methods are often too simple and not adapted to the thriving rise of malevolent actions. Moreover, these methods are generally created by people who cannot explain their methods easily to new employees. The security frame of mind is not yet present in the companies.

Therefore, there is an obvious need for risk assessment methodologies. Companies have to know their specific risks so as to struggle against them and to implement security measures adapted to these specific risks.

So as to create a new risk assessment methodology, a study has been realised on the existing methodologies and on interviews of several specialists of the risk assessment sector. This study describes the running of several methodologies and emphasizes their different advantages and drawbacks. Compared to each other, it is obvious that none of them is the adequate methodology, the good one.

A new methodology gathering the advantages of the different existing methodologies would therefore constitute a real improvement regarding the risk assessments.


2007-04-12


Aims and objectives The aim of the project was to create a new risk assessment

methodology linked with the spirit of the company and which could be applied on every risk assessment project, by young and non-experienced consultants that were not yet specialised of the risk assessment domain.

The different objectives of the project were to: o Determine the needs of the company o Gather information on several existing risk assessment

methodologies o Compare the different methodologies o Create a new methodology o Apply it on a specific practical case to develop practical tools o Improve the methodology and maintain it


2007-04-12


Methodology The first task that had to be done during the internship was to

understand and determine how the consultancy division of the company was running, as well as its needs regarding a new methodology. The requirements of the company where I was working were the first element to understand so as to create a methodology adapted to their wishes.

Otherwise, the creation of a new methodology required a clear and well-defined methodology. So as to succeed in my mission, I decided to compare several different existing risk assessment methodologies already existing in the risk assessment business. The different sources of information used for this work were the internet, interviews, conferences, books and documents. The comparison of the existing methodologies was necessary to get sufficient knowledge on risk assessment and risks in general but also to be able to create the new methodology as it is actually based on the 5 different methodologies (and their main advantages and drawbacks) that were studied during the internship.

The first 5 months of the internship were completely theoretical, as they were used to study these existing risk assessment methodologies. The work was to study and understand their organisation and their main advantages and drawbacks. This work helped to know which characteristics the new methodology should have and which drawbacks should be avoided. The methodology was also developed thanks to many different interviews of specialists of risk assessment and of strategy during which my questions and problems were often answered to. These interviews helped to reach a better methodology more adapted to the expectations of the market.

So as to reach the best possible methodology, it was then tested on two different practical cases which will not be summed up in this present report for obvious reasons of confidentiality. Nonetheless, the improvements that were possible thanks to this test have been integrated into the methodology. The different tools necessary to use the methodology in a good way, which were developed thanks to the application tests, will be described in this report as well.


2007-04-12


I_ Presentation of the company and its needs The internship has been realised in the consultancy division of Thales

Security Systems during a 10-month period from September 2005 until June 2006. Here is a little description of the company so as to better understand the work realised for the company. This small diagram is a simple representation of the situation of the consultancy division, in which the internship was realised.

I_1. Thales – Organisation Traditionally described as ”professional electronics”, the Thales group’s

businesses are primarily dedicated to critical information systems for defence, aerospace, transport and civil security applications. Thales provides its customers with all the key functions in the critical information loop, from detection and processing to transmission and distribution, and including command and control, decision-support and operational analysis.

In 2004, the Group reorganised itself into six divisions, each defined according to its respective markets. The new structure fosters closer relations with customers and leverages technical and technological commonalities to serve both military and civil markets more efficiently.

– The Aerospace division covers three major segments: equipment for civil and military aircraft, mission electronics for combat aircraft, and airborne surveillance & mission systems for armed forces and civil security authorities,

– The Air Systems division serves two main markets: air defence and missile systems for military customers, and civil air traffic management systems,

– The Land & Joint Systems division develops networkcentric systems and network-enabled equipment for land forces and joint and allied commands. It also draws on its dual technology capabilities to develop tailored offerings for selected civil customers,


2007-04-12


– The Naval division focuses on four key areas of expertise: warship prime contracting, systems for surface ships, underwater systems and naval services, including maritime security,

–The Security division leverages the Group’s technology expertise to provide risk management solutions for civil, government and private-sector customers,

– The Services division capitalises on Thales’ experience in providing IT services, simulation-based training and other services to military and aerospace customers, with an extended offering tailored to major government, institutional and enterprise customers.

All six divisions draw on a common platform of technologies underpinning the complex systems and real-time information management that Thales customers require. Enhancing that platform of technologies on a permanent basis, up to 20,000 Thales engineers and technicians in all Group companies operate as a worldwide network to conduct focused research and development in partnership with the international scientific and academic research community. All divisions benefit directly from the Group's multidomestic presence, an exceptional asset that enables Thales to forge close ties with governments and local customers in each country of operation in order to meet national sovereignty requirements more effectively. Expanding this international presence remains a top strategic priority. (Thales annual report 2005, Overview page 3, 2005)

I_2. Thales Security Systems Thales Security Systems belongs to the security division of Thales,

whose goal is to bring the expertise of Thales in transverse security and innovation in security solutions so as to ensure an absolute security on every market, i.e. for companies but also for important events (Olympic Games, World Cup, etc.) and for governments (struggle against terrorism for example) (TSS, Site and public event security, 2007)

The different divisions of Thales Security Systems are the following ones: (TSS, Domaines, 2007)

o Security of sites and events o Operational Security Centres o NRBC (nuclear, radioactive, biologic and chemical) Security o Identity (security of passports, national identity cards, etc.) o Information systems Security o Consultancy division

Thales Security Systems creates, sells and gathers technological systems whose goal is to protect the critical infrastructures of its customers (companies, local communities, governmental organisms) from the whole World. These systems cover all the different aspects of global security thanks to its 6 different divisions.

Thales Security Systems proposes a broad number of services like consultancy work, architectural definition, integration of complex systems and


2007-04-12


other solutions for the conception, the installation, the implementation and the maintenance of security systems. (TSS, Identité, 2007)

I_3. Consultancy division The consultancy division of Thales Security Systems is one of the

smallest divisions of the company. As a matter of fact, it is composed of 30 people, and has a total turnover of around 10 millions euros. It delivers two kinds of consultancy reports.

First, Thales Security Systems has implemented a transverse offer for the management of security risks, based on a long work with the managers of important companies. This offer can give to the chief executive officers a transverse vision of security risks, which helps to know where it is urgent and necessary to implement security solutions. This offer thus helps to favour the sustainable development of the companies. (TSS, Présentation conseil, 2007)

Then, the consultancy division also can bring technical solutions for the security of the information systems. So as to realise these missions, the consultancy division realises vulnerability audits or study the architectural structure of the information systems or even tries to enter the information systems so as to show evidence of its weaknesses. This work is made by so called ethical hackers. (TSS, Comprehensive information system security)

As nowadays, externalisation, delocalisation, globalisation, etc. are a reality, new laws, new regulations and new threats are appearing (sanitary risks, terrorism…). Then companies have to struggle against new kinds of risks, because of the increasing numbers of stakeholders they have to deal with for their development. Moreover, companies often cope with risks by activity and not on a transverse scale. Therefore, the consultancy division of Thales Security Systems created an offer covering all the needs of risk management, whatever they could be: human, environmental, logical or physical. This offer is called HELP standing for human, environment, logics and physics.

Logo for the HELP offer


2007-04-12


II_ Description: Presentation of several different methods and interviews

During the internship, several different methods aiming at assessing risks have been studied. Moreover, lots of interviews have been realised for the creation of the methodology so as to understand the most important characteristics any risk assessment methodology should have. This part describes the general organisation and the specificities of the existing methodologies as well as a summary of the most important interviews.

II_1. Methodologies

II_1.1. Integrated Security Risk Management – Philippe Bouvier

The integrated security risk management is a white paper written by Philippe Bouvier of Thales Security Systems. It integrates a risk analysis part (chapter 2) which describes a risk assessment methodology. This methodology has 7 different phases gathered in 3 important steps, as shown in the following diagram:

Diagram of Philippe Bouvier’s methodology


2007-04-12


II_1.1.1. Identification of targets to protect

II.1.1.1.a Define missions related to the system The goal of this step is to determine the aims and objectives of the

system studied and to understand its main missions.

II.1.1.1.b Identify targets in the system The targets of the system are the employees, the goods and everything

that participates to the objectives and missions of the company. Compromising one of these targets could be harmful for the system’s missions defined in the first step.

The value of the targets is important information to distinguish between critical assets. This value should be estimated and assigned. It depends on the cost to acquire the asset and maintain it as well as the loss it would cause if lost or destroyed. This value helps to calculate the cost of the assets and to appreciate better the security measures to be implemented in the future. (A highly valuable asset should be better protected than a cheap one)

The main result of this step is the identification of the critical targets and their value.

II.1.1.1.c Evaluate the security needs of each target So as to prevent the loss of a target, it is necessary to implement

security measures. Then, for every target from the list of targets that has just been identified, this step realises an evaluation of the security needs in confidentiality, availability and integrity for each target.

To know these security needs facilitates the choice of the security measures. The main result of this step is therefore a matrix giving the security needs in these 3 criteria for each target.

II_1.1.2. Identification of threats and vulnerabilities

II.1.1.2.a Identify threats The purpose of this step is to determine the list of threats that could be

harmful for the system and could compromise its missions (cf. step 1). These threats should be linked to the different objectives and missions that could be compromised.

For instance, an objective could be to assure confidentiality of internal telephone conversations while the threat would be the tapping of internal telephone calls. At the end of this step, the main result is a matrix giving the objectives linked to the selected threats.

II.1.1.2.b Identify existing security measures and residual vulnerabilities For each of the identified target, it is necessary to evaluate the actual

protection level in the eyes of the selected threats. It consists in an identification of the vulnerabilities of the system by considering the gap between the actual level of protection and the best practices. So as to identify them, it is interesting to:


2007-04-12


o Gather the best practices of protection measures for the type of company concerned

o Gather the internal studies such as audit reports, vulnerability tests, etc.

o Use the work of experts, etc. Then, two matrices can be realised at the end of this step:

o A matrix giving the targets linked with their vulnerabilities o A matrix giving the threats related to vulnerabilities to alleviate

II_1.1.3. Focus on risks and protective solutions

II.1.1.3.a Define the risk zone to be covered This step is a synthesis of the risk analysis; it helps to estimate the

risk level to which the system is exposed. So as to estimate this level of risk, it is necessary to use some criteria. These ones are

o Gravity or impact: this criterion corresponds to the damage or impact level that a threat could cause to an asset, in case of the occurrence of the threat

o Probability, or the frequency of the threat As a synthesis, a matrix giving the gravity and the probability linked to

the threats is realised. Then, taking into account each risk probability and impact, the organization gets a better understanding of which risks are the most critical and thus which one should be reduced. Therefore, at the end of this part, some risks are going to be selected so as to be reduced by protection means, and others are going to be accepted because they have a low risk level, i.e. a low impact and a low probability.

II.1.1.3.b Propose a risk reduction plan For all the risks selected, protection measures must be taken. They are

gathered in the risk reduction plan. According to this plan, risks can be: o Transferred, usually to an insurance company o Rejected, the risk is just ignored o Reduced by implementing security measures o Accepted, the management understands the situation and

decides to live with it. The risk reduction plan is the final document realised by this

methodology. It also integrates a matrix giving the threats linked to the measures that should be implemented to reduce the risks.

Source: Bouvier, 2004


2007-04-12


II_1.2. Ebios EBIOS stands for expression of needs and identification of security

objectives. EBIOS is used to identify the risks to which an information system is confronted to and to propose a security policy adapted to the security needs of the company. It has been created by the DCSSI (general direction of information system security) of the French Defence Ministry.

The EBIOS methodology is accompanied by a freeware which helps to simplify the application of the methodology and to create automatically synthesis documents. It is a 5-step methodology:

Diagram of EBIOS methodology

II_1.2.1. Study of the context and the environment The study of the context helps to identify which information system is

the centre of the study. This step defines the limits of the study: the presentation of the company, the architecture of the information system, the technical and legal constraints, and the commercial stakes.

Otherwise, an information system is based on critical elements, functions and organisms, which constitute hugely valuable entities for the


2007-04-12


company. This step consequently defines as well the critical equipments, and the human, technical and organisational means of the company.

II_1.2.2. Evaluation of the security needs The evaluation of the security needs helps to estimate the risks and to

define the risk criteria. The users of the information system define during this step the security needs of the different targets according to the impacts that they judge unacceptable.

The security needs express themselves depending on criteria like the availability, the integrity and the confidentiality.

II_1.2.3. Study of the threats The study of the threats helps to identify the risks depending on the

technical architecture of the information system. Then, the list of vulnerabilities is established depending on the equipment, the architecture and the software but not on the origins of the threat and their causes.

This step consequently consists of a selection and/or identification of the threats and vulnerabilities of the company and its information system.

II_1.2.4. Identification of the security objectives The identification of the security objectives confronts and links the

security needs and the selected threats so as to emphasize the risks against which the information system should be protected. As a matter of fact, there is no need to protect what is not threatened. The protection measures will then be adapted to the system studied.

This step will help to identify security objectives which will be the main part of the security specifications and recommendations. As a matter of fact, the purpose of the security objectives is to alleviate the vulnerabilities that create the different risks.

II_1.2.5. Determination of the security expectations The determination of the security expectations determines the limits of

the protection measures. It is obvious that a company cannot annihilate every risk. Some of them will have to be accepted so as to have cheaper protection measures.

This is one of the most important tasks of a risk manager: determine whether a risk has to be accepted, covered or reduced. The answer to this strategic question is given depending on the cost of the risk impacts and its probability to occur.

EBIOS gives consequently a methodology that helps to build a security policy realised according to a risk assessment based on the environment of the company and its vulnerabilities.

Sources: Developpez.com - EBIOS, 2005 ; DCSSI, 2004


2007-04-12


II_1.3. Marion II_1.3.1. Principles of the methodology Marion is a risk assessment methodology oriented towards the

information systems. It has been developed by the CLUSIF (French club of information security) but has been abandoned in 1998 for another methodology called MEHARI. It is a security audit methodology, which gives a quantitative evaluation of the logical risks of a company in different domains of security. Marion is based on the evaluation of the organisational and technical aspects of security.

II_1.3.2. Running of the methodology The methodology is based on audit questionnaires dealing with

precise domains. The questionnaires should help to evaluate the vulnerabilities of the company in these specific domains of security. There are based on hundreds of questions with different weights.

The methodology utilizes 27 indicators classified in 6 different themes. Each of them gets a mark from 0 (not secure at all) to 4 (excellent). The themes are the following:

o Organisation of the security o Physical security o Business continuity o Logical organisation o Logical security o Software security

Marion is a 4-step methodology as described below.

II.1.3.2.a Preparation The first step is called the preparation step. It defines the different security objectives to be reached as well as the limits of the study, i.e. what is going to be studied by the methodology. This step will help to better implement the methodology as soon as limits are defined.

II.1.3.2.b Vulnerability audit The vulnerability audit is the step where vulnerability questionnaires are

answered to. These answers will help to identify the different risks regarding the security of the information system. At the end of the audit, a diagram is built representing the marks given for each indicator and emphasizing the most important risks.

Here is an example of the Marion diagram:


2007-04-12


Example of a MARION vulnerability diagram

This diagram represents in a circle the value and the marks for each indicator. It is a way to show the vulnerabilities and the vulnerable points of the information system, underlining those who should be protected.

Another diagram is built at the end of this step. It represents the gap between each mark and the target value (3) for each indicator. This target value is 3 out of 4. This gap is weighted according to the importance of the indicator depending on the system studied. It is then possible to see the most important vulnerabilities of the information system.

II.1.3.2.c Risk assessment The risk assessment helps to prioritize the different risks according to

their importance and their being critical (major risks and simple risks). The information system is then cut into different entities for a more

detailed analysis. These entities will actually be classified according to the threats, their impacts and their probability. 17 kinds of threats are defined by this methodology but are not going to be described here. As an example a physical accident or a logical attack of the net can be quoted.

II.1.3.2.d Action plan The action plan is the last step of the methodology. The action plan

proposes several solutions to implement so as to improve the marks of the indicators up to the target level (3 out of 4). The costs to reach these target levels are evaluated as well as the tasks necessary to realise so as to reach them.

To conclude, this methodology is quite simple to implement and it is really adequate so as to compare different companies or sites that are audited.


2007-04-12


Example of a MARION gap diagram Sources: Developpez.com - Marion, 2005; Teamlog, 2003

Gap diagram


2007-04-12


II_1.4. ISO 17799 – Questionnaire Audit Thales has created a questionnaire audit based on the ISO 17799, and

called ISO full. It is actually a questionnaire which takes into consideration all the recommendations of the ISO 17799 so as to create questions related to these recommendations. These questions are gathered in the same categories as in the ISO 17799. As a matter of fact, the questions are classified in these following categories:

o Security policy o Security organisation o Classification and control of sensitive valuables o Security of the employees o Physical and environmental security o Management of the communication o Access control o Development and maintenance of the information system o Management of the business continuity o Conformity

As soon as the questions are answered to, a diagram is created and automatically generated like in the Marion method. The diagram shows the actual vulnerabilities level and a target level which is determined by interviews with the company studied according to their basic security needs. This is not a methodology but it is a practical tool that is useful when an audit is required without any risk analysis or study of the system in its environment. It is a hugely useful tool when running after time.

Sources: TSS, ISO full, 2006; AFNOR, 2005


2007-04-12


II_1.5. Confidential risk assessment methodology Another risk assessment methodology has been studied during the

internship. Unfortunately, this one is strictly confidential and cannot be described in this report. Nonetheless, some interesting information can be emphasized. This methodology defines the concept of attractiveness of a target. This means that some targets are more interesting than other targets. For example, regarding terrorism, it is far more interesting for the aggressor to attack an explosive target in the middle of an overcrowded city rather than a farm for example because it has not the same image and the same impact on people’s feelings. This concept is really essential when dealing with malevolent actions.

Moreover, this risk assessment methodology was calculating a return on investment regarding security measures but this one was not really clear and easy to manipulate. Nonetheless, it is one of the first methodologies mentioning the possibility to compute a return on investment which is a really good idea especially for this domain (security) which needs a lot of money.

Unfortunately, this methodology was only dealing with malevolent actions and was thus not wide enough.


2007-04-12


II_2. Interviews

II_2.1. Interviews Counter-admiral Girard The counter-admiral Georges Girard has been met several times during

the creation of the methodology. He is the editor of a specialised strategy and security review called the “Défense Nationale et Sécurité Civile” review. He has been elaborating war strategies for France before becoming editor.

According to him, the most important thing to do when you receive a mission from someone is to reformulate it and to redefine it so as to be sure to have well understood the mission and that everybody agree on the mission. Moreover, before starting a mission, Admiral Girard thinks that it is necessary to determine its limits and its perimeter and that everyone agrees on them.

It is also necessary to have general principles when applying a risk assessment methodology. These general principles are the following:

o Security is a frame of mind: people who work in risk assessment should always be thinking about it. This frame of mind is one of the most important things to teach to the customers of a risk assessment. They should learn to think about security and never to neglect any small detail, like for example to log off your computer when you leave, or to shut and lock the desk door when leaving. When you have the security frame of mind, then a big part of the job is already realised.

o The return of experience is necessary and essential: experience is of course an advantage especially for people working as consultants.

(Interviews Counter-Admiral Girard, 2005-2006)

II_2.2. Interviews Guy Dubois Guy Dubois was the supervisor of this internship. He gave his

contribution to create the methodology thanks to his experience in risk assessment and security. The methodology reflects a lot of his ideas, and of his years of experience as a consultant in risk management. He is one of the most important contributors to the success of this methodology.

According to him, an essential point in a risk assessment methodology is to have an iterative process. This appears in the methodology and is called the maintenance of the security level. According to that, the methodology should be applied year after year because threats, companies, vulnerabilities, etc. are evolving. Moreover, it helps to have a continuous improvement of the security level within a company.

(Interviews Guy Dubois, 2005-2006)


2007-04-12


II_2.3. Interviews Thomas Lebouc Thomas Lebouc was another supervisor for this internship. He helped

me regarding the implementation of the methodology thanks to his commercial experience and its frequent relations with customers. The methodology tools reflect a lot of his ideas.

According to him, an essential point in a risk assessment methodology is to be clear and to have specific and easy-to-use tools. Questionnaires and diagrams are necessary so as to convince a customer and to show results quickly and clearly. Moreover, a methodology is good only if a lot of people can use it easily, that is why it is better to have clear schemes and diagrams rather than too many explanation pages. The methodology has to be as simple as possible

(Interviews Thomas Lebouc, 2005-2006)

II_2.4. Interviews Gérard Pesch Gérard Pesch is the manager of the consultancy division of Thales

Security Systems. He is one of the managers who bear the HELP offer in Thales Security Systems. He has a lot of commercial meetings and wanted this methodology to become a new commercial opportunity.

According to him, it is really important that the methodology integrates the HELP offer in its tools and principles so as to correspond to the commercial offers of the company.

(Interviews Gérard Pesch, 2005-2006)

II_2.5. Interviews Yves Le Dauphin Yves le Dauphin is one of the associates of Cesar Consulting, a

consultancy company in human resources. This company has a partnership with Thales Security Systems for the human part of the HELP security offer.

According to him and to his consultancy company (Cesar Consulting, 2005) the organisation of the security is essential for the security of a company. As a matter of fact, people should know what they are responsible for, what they should do in case of an accident, and in their everyday work. There should be procedures and check-lists of actions to do if an incident occurs. An organisation chart is necessary so as to know which employee is responsible for the good work and the maintenance of the protection means, etc.

The security actions and procedures should be put in the working tasks that every employee has to do. Moreover, accidents are often due to a bad organisation, an inadequate behaviour or a bad knowledge of the security procedures and routines. Human errors are really often the source of the most important catastrophes (Chernobyl for example). Therefore, the security formation and training is an interesting way to decrease the number of errors and accidents.

(Interviews Yves le Dauphin, 2005-2006)


2007-04-12


II_3. Application on two sites The methodology has been applied on two specific sites in France for

the French company Suez. It was applied on a water production site and also on a heat production site. During these missions, a lot of professionals of security and risk management have been met. Their experience and their knowledge have been gathered in the methodology and its application tools.

Moreover, these two missions gave information on these two specific domains, i.e. water and heat production and their specific threats and risks, like water pollution for instance. This helped to update some of the tools. The methodology should improve itself at each mission.


2007-04-12


III_ Analysis: Comparison of the methodologies So as to create the new methodology, an analysis board was

established. This board emphasizes and compares the 5 studied methodologies. It deals with their advantages and drawbacks. The conclusion of this board is resumed in its last column, so called the “new methodology” column. Actually, this column shows the way the different drawbacks are decreased or annihilated and which advantages should be included in the new methodology.

Met

hodo

logy

/ In

terv

iew

sA

dvan

tage

sD

raw

back

sN

ew m

etho

dolo

gyH

ow it

sho

uld

be!

Bou

vier

-Goo

d de

finiti

ons

of th

e di

ffere

nt c

once

pts

in ri

sk a

sses

smen

t: ris

k, th

reat

and

vu

lner

abili

ity-E

asy

calc

ulat

ion

to e

valu

ate

a ris

k:

prob

abili

ty *

gra

vity

-Des

crip

tion

of th

e se

curit

y ne

eds

-Impo

rtant

list

s of

thre

ats,

vul

nera

bilit

ies

and

targ

ets

-Org

anis

atio

nal s

ecur

ity ta

ken

into

acc

ount

-Mai

nly

adap

ted

to th

e se

curit

y of

info

rmat

ion

syst

ems

-No

easy

-to-u

se to

ols

for t

he a

pplic

atio

n of

th

e m

etho

dolo

gy-T

he d

iagr

ams

prop

osed

by

the

met

hodo

logy

to

pre

sent

the

resu

lts a

re n

ot c

lear

-No

targ

et le

vel o

f pro

tect

ion

-Not

eas

y to

com

pute

the

dim

inut

ion

of th

e ris

ks w

hen

impl

emen

ting

a pr

otec

tion

mea

sure

-Met

hodo

logy

real

ly d

iffic

ult t

o im

plem

ent b

y an

othe

r con

sulta

nt

-Ada

pted

to a

ll ki

nd o

f sys

tem

and

co

mpa

ny-L

inke

d to

use

ful a

nd e

asy-

to-u

se t

ools

-Dia

gram

s sh

owin

g cl

early

the

resu

lts-E

xist

ence

of a

targ

et le

vel

-Tak

e th

e lis

t of t

hrea

ts, v

ulne

rabi

litie

s an

d ta

rget

s-S

ame

defin

ition

s of

risk

, thr

eat a

nd

vuln

erab

ilty

EB

IOS

-A to

ol c

an e

ngen

der d

irect

ly ri

sk

asse

ssm

ent r

epor

ts w

hen

the

tool

is w

ell

fille

d in

-Des

crip

tion

of th

e se

curit

y ne

eds

-Org

anis

atio

nnal

sec

urity

take

n in

to

acco

unt

-Mai

nly

adap

ted

to th

e se

curit

y of

info

rmat

ion

syst

ems

-The

sof

twar

e to

ol is

real

ly d

iffic

ult t

o us

e-T

he m

etho

dolo

gy is

not

so

clea

r whe

n go

ing

mor

e in

det

ail

-No

quan

tific

atio

n of

the

leve

l of t

he ri

sks,

th

reat

s an

d vu

lner

abiil

ities

-No

poss

ible

upd

ate

-Ada

pted

to a

ll ki

nd o

f sys

tem

and

co

mpa

ny-C

lear

and

eas

y-to

-use

tool

s-Q

uant

ifica

tion

and

calc

ulat

ions

as

muc

h as

pos

sibl

e-P

ossi

ble

upda

te

MA

RIO

N

-Pre

cise

que

stio

nnai

re a

udit

-Dia

gram

s sh

owin

g di

rect

ly th

e im

porta

nt

resu

lts-Q

uant

ifica

tion

of a

targ

et le

vel o

f pr

otec

tion

-Old

met

hod

with

man

y pr

evio

us u

pdat

es-A

dequ

ate

to c

ompa

re d

iffer

ent s

ites

-Org

anis

atio

nnal

sec

urity

take

n in

to

acco

unt

-Mai

nly

adap

ted

to th

e se

curit

y of

info

rmat

ion

syst

ems

-Not

a w

hole

risk

ass

essm

ent m

etho

dolo

gy,

mor

e or

ient

ed to

war

ds a

que

stio

nnai

re a

udit

-No

poss

ible

upd

ate

-Ada

pted

to a

ll ki

nd o

f sys

tem

and

co

mpa

ny-T

ake

the

ques

tionn

aire

aud

it an

d th

e di

agra

m s

how

ing

the

impo

rtant

resu

lts-T

arge

t lev

el o

f sec

urity

-Pos

sibl

e to

com

pare

diff

eren

t site

s

A

dvan

tage

s, D

raw

back

s of

the

met

hodo

logi

es s

tudi

ed –

Cha

ract

eris

tics

of th

e ne

w m

etho

dolo

gy

Fina

l Deg

ree

Pro

ject

2007

-04-

12

Nic

olas

Lef

ebvr

e C

reat

ion

of a

Ris

k A

sses

smen

t Met

hodo

logy

P

age

29/5

7

Met

hodo

logy

/ In

terv

iew

sAd

vant

ages

Dra

wba

cks

New

met

hodo

logy

How

it s

houl

d be

!

ISO

177

99

Que

stio

nnai

re

audi

t

-Que

stio

nnai

re m

ade

from

an

inte

rnat

iona

l st

anda

rd-T

he q

uest

ionn

aire

is d

ivid

ed in

cat

egor

ies

that

cov

er th

e 4

cate

gorie

s of

the

HEL

P of

fer

-Dia

gram

s sh

owin

g di

rect

ly th

e im

porta

nt

resu

lts-Q

uant

ifica

tion

of a

targ

et le

vel o

f pr

otec

tion

-Mai

nly

adap

ted

to th

e se

curit

y of

info

rmat

ion

syst

ems

-The

que

stio

ns a

re n

ot c

lear

at a

ll, to

o lo

ng,

and

diffi

cult

to a

nsw

er-N

ot a

who

le ri

sk a

sses

smen

t met

hodo

logy

, on

ly a

que

stio

nnai

re a

udit

-Ada

pted

to a

ll ki

nd o

f sys

tem

and

co

mpa

ny-C

lear

and

eas

y-to

-use

tool

s-T

ake

the

ques

tionn

aire

aud

it an

d th

e di

agra

m s

how

ing

the

impo

rtant

resu

lts-T

arge

t lev

el o

f sec

urity

-Cov

er th

e 4

cate

gorie

s of

HEL

P

Con

fiden

tial

met

hodo

logy

-Def

initi

on o

f attr

activ

enes

s-D

efin

ition

of a

sec

urity

retu

rn o

n in

vest

men

t-E

xist

ence

of a

list

pro

tect

ion

stan

dard

s

-Mai

nly

orie

nted

tow

ards

mal

evol

ent a

ctio

ns-T

ools

onl

y ap

plic

able

on

the

site

s of

the

com

pany

whi

ch c

reat

ed th

e m

etho

dolo

gy-T

he re

turn

on

inve

stm

ent i

s di

fficu

lt to

co

mpu

te fo

r a s

peci

fic ri

sk o

r a s

peci

fic

prot

ectio

n m

easu

re-A

bsen

ce o

f a d

efin

ition

of t

he m

issi

on a

nd it

s lim

its

-Attr

activ

enes

s, R

etur

n on

inve

stm

ent

-Ada

pted

to a

ll ki

nd o

f sys

tem

and

co

mpa

ny-D

efin

e th

e m

issi

on a

nd it

s lim

its

Adv

anta

ges,

Dra

wba

cks

of th

e m

etho

dolo

gies

stu

died

– C

hara

cter

istic

s of

the

new

met

hodo

logy

(2)

IV_ Discussion: the new methodology IV_1. Expectations of the company

As described in the previous parts, there are several different methodologies that exist in the risk assessment domain. As a matter of fact, lots of companies have created their own methodology to assess risks. The advantages and drawbacks of several of them have already been described.

According to a lot of consultants, these methodologies are not clear enough, not complete enough, not linked with the customers’ activities or too complicated so as to be used efficiently. There is consequently an obvious need for a methodology which could be applied more easily by people who do not have the time to read hundreds of pages of methodology and that could be used for every type of security risks.

The consultancy division of Thales Security Systems was therefore expecting a methodology which could be used by all its consultants with specific designed tools adapted to their issues and easy to manipulate. The need for a methodology adapted to every kind of risks was strong so as to correspond to the offer so called HELP, described previously.

The methodology created would then become a new strong commercial offer for the company thanks to the combination of the main advantages of the different existing methodologies.

IV_2. The new methodology

IV_2.1. Introduction The methodology as described in the following paragraphs is composed of

these 4 important steps: o The general analysis of the system o The risk assessment o Protection standards o Budget, action plans and implementation of security

These four steps are preceded by the definition of the mission and its limits, named step 0 as it comes as a prelude to the methodology.

IV_2.2. General Principals In parallel to these four steps, the methodology defines general principles

which can be applied to all these steps and which emphasize the Security frame of spirit necessary for a good result. This part shows that security is not only words; people have to think about it and to live with it and not against it.Finally, it is worth noting that the methodology can be applied on several levels:

o Strategic level o Operational level in a business unit o Site level o And even on a project level or on a process


2007-04-12


IV_2.3. General Organisation Here is a scheme of the general organisation of the new methodology for risk

assessment created thanks to the study of the previous existing methodologies.

Fina

l Deg

ree

Pro

ject

2007

-04-

12

Nic

olas

Lef

ebvr

e C

reat

ion

of a

Ris

k A

sses

smen

t Met

hodo

logy

P

age

32/5

7

Ta

sks

Met

hod

Del

iver

ies

Def

initi

on o

f the

m

issi

on a

nd it

s lim

its

-Def

initi

on o

f the

mis

sion

-D

efin

ition

of t

he p

erim

eter

and

the

limits

of t

he

mis

sion

-D

efin

ition

of t

he g

oals

to re

ach

-Inte

rvie

ws

mee

ting

and

laun

chin

g m

eetin

g

-Des

crip

tion

of th

e m

issi

on

-Per

imet

er a

nd g

oals

of t

he m

issi

on

-Pre

sent

atio

n of

the

com

pany

-R

epor

t of t

he in

terv

iew

s -P

rese

ntat

ion

of th

e bu

sine

ss c

ase

-Sum

mar

y of

the

diffe

rent

task

s to

be

done

and

pro

ject

ed p

lann

ing

Step

1:

Gen

eral

Ana

lysi

s of

th

e Sy

stem

-Stu

dy th

e sy

stem

and

its

envi

ronm

ent

-Des

crib

e th

e en

viro

nmen

t of t

he s

yste

m

-Ana

lyse

the

orga

nisa

tiona

l, te

chni

cal a

nd h

uman

m

eans

-D

efin

e th

e se

curit

y ne

eds

in C

IA (c

onfid

entia

lity,

in

tegr

ity, a

vaila

bilit

y)

-Que

stio

nnai

res

-Inte

rvie

ws

-Bus

ines

s im

pact

ass

essm

ent

met

hods

-E

tc.

-Rep

ort o

f the

inte

rvie

ws

-Des

crip

tion

of th

e en

viro

nmen

t -A

rchi

tect

ure

of th

e sy

stem

-D

escr

iptio

n of

eac

h ac

tivity

-G

ener

al o

rgan

isat

ion

of th

e co

mpa

ny

-Qua

ntifi

catio

n of

the

need

s of

sec

urity

Step

2:

Ris

k an

alys

is

-Lis

t the

spe

cific

thre

ats

-D

eter

min

e th

e pr

obab

ility

and

the

attra

ctiv

ity o

f th

e th

reat

s -S

elec

t the

crit

ical

ass

ets

-C

lass

ify th

ese

asse

ts in

zon

es o

f col

or

-Det

erm

ine

the

vuln

erab

ilitie

s of

the

criti

cal a

sset

s -M

ap th

e ris

k

-Que

stio

nnai

res

-Inte

rvie

ws

-Ana

lysi

s of

the

syst

em

-Ret

urn

of e

xper

ienc

e of

oth

er

cons

ulta

nts

-Lis

ts o

f thr

eats

-L

ists

of v

ulne

rabi

litie

s -C

alcu

latio

ns

-Lis

t of t

he s

elec

ted

thre

ats

and

thei

r pr

obab

ility

-Lis

t and

zon

ing

of th

e se

lect

ed c

ritic

al

asse

ts

-Lis

t of t

he s

elec

ted

vuln

erab

ilitie

s

-Cor

rela

tion

thre

at –

ass

et -

vuln

erab

ility

-Zon

ing

-Map

of r

isks

Sum

mar

y of

the

diffe

rent

task

s, m

etho

d an

d de

liver

ies

of e

ach

step

Fina

l Deg

ree

Pro

ject

2007

-04-

12

Nic

olas

Lef

ebvr

e C

reat

ion

of a

Ris

k A

sses

smen

t Met

hodo

logy

P

age

33/5

7

Ta

sks

Met

hod

Del

iver

ies

Step

3:

Prot

ectio

n st

anda

rds

-Lis

t the

bes

t pra

ctic

es a

nd th

e ap

plic

able

law

s of

th

e ki

nd o

f com

pany

-Id

entif

y th

e pr

otec

tion

stan

dard

s by

thre

at

-Def

initi

on o

f the

exi

stin

g pr

otec

tion

leve

ls a

nd o

f th

e ne

cess

ary

prot

ectio

n le

vels

by

zone

s an

d th

reat

s -C

alcu

latio

n of

the

vuln

erab

ility

leve

ls a

nd o

f the

re

al th

reat

-Stu

dy o

f the

mar

ket

-Sta

te o

f the

art

in p

rote

ctio

n m

easu

res

-R

etur

n of

exp

erie

nce

of o

ther

co

nsul

tant

s -In

terv

iew

s -C

alcu

latio

ns

-Etc

.

- Pro

tect

ion

stan

dard

s - L

evel

s of

pro

tect

ion,

leve

l of

vuln

erab

ility,

leve

l of r

eal t

hrea

t, et

c.

Step

4:

Bud

get

Act

ion

plan

s Se

curit

y im

plem

enta

tion

-Def

ine

the

cost

of t

he ri

sks

-Det

erm

ine

the

initi

al le

vel o

f ris

ks

-Tak

e co

rrect

ing

mea

sure

s -D

efin

e th

e co

rrec

ted

leve

l of r

isks

-D

eter

min

e th

e re

turn

on

inve

stm

ent

-Cal

cula

tions

-R

etur

n of

exp

erie

nce

-Insu

ranc

e ca

lcul

atio

ns

-Etc

.

-Ris

k le

vel

-Lis

t of c

orre

ctin

g m

easu

res

-Cor

rect

ed le

vel o

f ris

ks

-Sec

urity

retu

rn o

n in

vest

men

t

Sum

mar

y of

the

diffe

rent

task

s, m

etho

d an

d de

liver

ies

of e

ach

step

IV_2.4. Glossary Here are some of the different notions that have to be clarified before the

explanation of the methodology. Some other words specific to this methodology lie in the report but they are defined when they appear for the first time.

This methodology has the same definitions as the methodology called “Integrated security risk management”, as they seem to be clear and adapted to the new methodology’s concepts. (Bouvier, 2004)

IV_2.4.1. Asset An asset is a person, a logical or physical target or a valuable interest

IV_2.4.2. Threat Occurrence of an action or event that could compromise a target

IV_2.4.3. Vulnerability Weakness of a target or of its environment that could be exploited by a threat

agent

IV_2.4.4. Risk A risk is the probability that a threat agent can exploit the vulnerability of an

asset. This is an unpredictable event which hinders the achievement of an objective. A risk is therefore a combination of these first three key-words. If one of them is missing, then there is no risk. As a matter of fact, if there is no asset, then there is no risk!

The following diagram underlines the links between these three parameters and the definition of a risk.

Final Degree Project 2007-04-12


IV_2.5. Step 0: Definition of the mission and its limits The first step is essential for the methodology. It corresponds to the definition

of the problem and of the mission to realise. As a matter of fact, this step consists of a reformulation of the mission given by a customer and the results (objectives) that should be obtained. This step will also help to determine the perimeter of the study, i.e. its limits. Everything outside this perimeter will not be taken into account for the risk assessment. Obviously, a small mistake in this step could have tremendous consequences on the risk analysis. This shows how important this step is.

Otherwise, this step helps to determine the length of the mission, its wideness, and gives an idea of the deliveries wanted by the customer.

IV_2.6. Step 1: General analysis of the system

Step 1: General Analysis of the System

The first step of the analysis consists of a study of the whole company in its environment. This will help to present the whole company studied and the way it works. This step is necessary so as to be able to determine the architecture of the system, i.e. the different organisational, technical and human means necessary for the company and its processes. Their description will be realised thanks to organizational charts, to schemes and diagrams showing for example the several processes, the different flows or the production chains. The organisation of the security is an essential point to deal with in this step so as to know who is responsible for what and who has the power to implement security measures.



The real task is actually to understand how the company works and which activities and which processes are really critical and important regarding its sustainability if an accident or a threat would happen.

The environment of the company must be described as precisely as possible. Actually, a great amount of important and pertinent information regarding the implementation of the methodology comes from the description of the environment (geographical environment, political environment, period of the study, etc.)

Afterwards, the needs of security of the studied processes will be defined and classified. A need of security is linked to an asset or to a process. They represent the limits an asset or a process can bear without compromising the sake of the company, i.e. how critical the different assets are.

These security needs will be needs in: o Confidentiality: information about a target that should not be disclosed

except to those with authorized access o Integrity: a target must not be modified or destroyed o Availability: access to a target must be guaranteed to authorized

personnel when required Actually, these security needs are linked to the different assets of the studied

company. This will help to understand the company so as to know what is really critical for the sustainability of the company. This is the first step of the analysis. The previous steps were only a description of the company and its activities.



IV_2.7. Step 2: Risk Analysis

Step 2: Risk Analysis

For the risk analysis, two kinds of threats are going to be studied. On the one hand, can be studied the accidental threats, i.e. errors, accidents, etc. and on the other hand, the voluntary threats, so called malevolent actions.

At the beginning of this step is a map of the threats which is a simple list of threats and categories of threats that are classical (ex: fire, flood, etc.). Of course, some threats can be specific for one company and then the list has to be updated. A certain amount of threats is chosen both by the consultant and the company. All the threats that are going to be taken into account in the study have to be selected during this step. The other threats will never be studied in this specific case.

Regarding accidents and errors, the purpose is to determine the probability of occurrence of each threat or each kind of threat. This is a quantitative data that is here linked to the threat. This probability can be calculated or estimated as insurance companies do.

Then, malevolent threats will also be linked to a quantitative data, called the global threat. So as to determine these quantitative data, several parameters must be taken into account:

o Geographical localisation o Geopolitical events (terrorism, religious or civil wars, etc.) o News o The type of company studied, etc.



The data can be computed or more often evaluated thanks to the return of experience of security professionals or thanks to common sense sometimes.

The last important task in the determination of these data is the notion of attractiveness, when dealing with malevolent actions. The attractiveness represents actually how interesting an asset is for an aggressor point of view. The combination of the attractiveness and the global threat leads to the quantitative data called the on-site threat, which is computed automatically.

Afterwards, it is possible to reach a list of threats both accidental and malevolent. These threats are now all linked to a quantitative data. It is worthy to note that some threats can be both malevolent and accidental (a fire for example) and have therefore two different data. Then the final data will be the most important one so as to have an optimal protection.

Threats determination

Then, the critical assets will have to be defined and selected (according to the study in the first step). These assets will be classified in a zoning describing the most critical areas of the studied company. If an asset is not threatened by any threat, then it won’t be taken into account. The protection will thus be oriented towards the selected threats and towards the critical assets that have to be saved whatever happens.

The vulnerabilities of these assets will then be determined thanks to interviews (with an audit questionnaire) and visits. This part will help to have a transverse vision of the weaknesses of the company and its assets, and then to improve their protection.

Then, a risk map and a risk analysis board will be established by the combination of the information obtained during this step, the most important of the methodology, in terms of time and energy.



IV_2.8. Step 3: Protection standards

Step 3: Protection Standards

After having determined the different laws and constraints in accordance with the regulations, the best practices, and the state of the art in security for the studied domains and activities, protection standards can then be determined. These protection standards are here protection equipments or a new organisation or even recommendations like the training of the employees that should be implemented so as to reduce the level of risks. They will be classified into the HELP scheme with human, environmental, logical and physical protection means and presented in protection standards sheets.

Thanks to that, it will be possible to determine the actual level of protection of the assets by an immediate comparison with the defined standards.

The difference between the actual level of protection and the requested level of protection defines the level of existing vulnerabilities. If an asset is as protected as defined by the protection standards, then the level of existing vulnerabilities is 0. This is therefore a relative notion. As a matter of fact, it is like considering that the risk is equal to 0, i.e. that there is no risk. But, this is just a means used to determine when the level of protection is judged sufficient but the risk is never equal to 0 in reality as the following diagram shows. Residual vulnerabilities and risks have to be accepted.

This step is really connected to the previous one as the different calculations of for example the real threat are done in a risk analysis board gathering both the information from step 2 and step 3.



Level of vulnerabilities

So as to treat and alleviate these vulnerabilities, it is necessary to establish a budget corresponding to an action plan established in accordance with the company.

The combination between the vulnerability and the probability of the threat represents the probability that a succeeding (from the point of view of the aggressor) action happens. The real threat is then the probability of the threat when taking into account the existing level of protection. This leads to a quantitative data considering the asset, the threat and the vulnerability of the asset, i.e. the three components of a risk.



IV_2.9. Step 4: Budget, action plans and implementation

Step 4: Actions plans and security implementation

The cost of the risk is the estimated value of the assets, i.e. the money necessary to come back to the previous situation when an incident has occurred (taking into account costs of acquisition, the stop in the activity in case of destruction, etc.) Its combination with the real threat gives the level of risks which actually represents the potential losses.

So as to decrease the risk, correcting measures (generally aimed to reach the protection standards) will be taken. These measures will decrease or even annihilate the vulnerabilities. A new corrected level of risks will thus be calculated.

The money necessary to improve the protection of the assets will be determined. Then, it is possible to compute the investment efficiency, also called the return on investment, by the ratio between the risk reduction and the investment costs.

This part has never been applied for a question of time, and therefore it is obvious that some small details could change. The way of computing the return on investment seems good in theory but it is really difficult to know the investment costs for a specific risk as often protection standards protect against several risks.



IV_2.10. Advantages IV_2.10.1. Accidents and malevolent actions This is one of the important advantages of this methodology to consider both

accidents and malevolent acts. As a matter of fact, the return of experience Thales Security Systems and the study of several existing risk assessment methodologies give this methodology a great amount of references and already studied threats and vulnerabilities.

Every kind of risks is then covered by only one methodology. It also integrates the 4 components of the HELP offer of Thales. Lots of the studied methodologies actually only considers the logical security problems or only the accidents.

IV_2.10.2. Security return on investment The calculation of the return on investment is often missing in the security

domain. Chief executive officers need these data so as to determine whereas it is important to invest on security or not. The lack of data often leads to a lack of money in this domain, where it is hard to get investment as this is only a source of expense and not a source of income like production.

The calculation of return on investment is often missing in lots of risk assessment methodologies. Unfortunately, it has not been tested on the two missions of practical applications and it appears to be still a little bit complex for calculations.

IV_2.10.3. Definition of the mission The definition of the mission is absolutely necessary when dealing with a

customer. This is actually a way to protect the consultant as the conclusions of this part build the limits of the study, and the preliminary planning. It is also a good way to check that both the customer and the consultant have the same idea of what are going to be the main conclusions of the report. This methodology is helpful to know which risks a company would be sensitive to and to give recommendations to get protected but then the protection standards have to be implemented and the methodology would not be helpful at all for that.

This definition of the mission is a reformulation of the mission and of its limits and are essential for the good course of the mission.

IV_2.10.4. Several levels of application This methodology has the great advantage to be a general one. It could even

be used for a war strategy according to the Counter-Admiral Georges Girard. It could of course also be used for the strategic decisions of a company as every type of decision is a risk assessment especially in a company. The technical and operational levels are also relevant application levels.

IV_2.10.5. Lots of references and return of experience As several methodologies have been studied for the creation of this

methodology, the different questionnaires, vulnerability and threat lists, and other information have been gathered in the documents and tools of this methodology. Moreover, a lot of Thales missions have been studied. The return of experience is a huge source of information for consultancy companies.



IV_2.10.6. Easy to use tools So as to apply the methodology, tools have been created. The whole

methodology is structured with application tools, like questionnaires, boards, standard protection sheets and the creation of diagrams nearly automatically as soon as questionnaires are filled in. Therefore, consultants just have to focus on the information they get from the customers.

Some of these tools are described in the next part.



V_ Application and practical tools The methodology that has just been described was applied on two different

sites so as to improve it and to create practical tools to apply it. For obvious reasons of confidentiality, the results of these risk assessments will not be shown here. Nonetheless, the practical tools that have been created so as to apply the methodology are described here.

V_1. Security needs

V_1.1. Security needs Thanks to interviews with the studied company, the security needs of each

activity can be described. These security needs are described in confidentiality, availability and integrity.

o Needs of confidentiality: it is represented on a scale telling which people are authorizes to see and consult an asset without having critical consequences for the sake of the company

o Needs of availability: it is represented on a scale telling how long an asset could be out of service without having critical consequences for the sake of the company

o Needs of integrity: it is represented on a scale telling how much an asset could be damaged without having critical consequences for the sake of the company

They give information on the criticity of the assets and processes that are studied. They are evaluated thanks to a scale determined with the company. It goes from a small to a critical or vital need of security. The vital criterion stands for the assets and processes that would jeopardize the future of the whole company.

V_1.2. Criticity of assets scheme Here is an example of the scheme that can be obtained. The final criticity level

is actually an average need of security evaluated thanks to the three different security needs. If an asset has huge needs of security, then it is critical.

It shows clearly and quickly which process and which asset are the most critical for the company’s sake. It gives a clear overview of the things that have to be protected against every potential threat.

Asse

ts a

nd im

pact

s

0

0,51

1,52

2,53

3,54

Asse

t or p

roce

ss 1

Asse

t or p

roce

ss 2

Asse

t or p

roce

ss 3

Asse

t or p

roce

ss 4

Asse

t or p

roce

ss 5

Asse

t or p

roce

ss 6

Asse

t or p

roce

ss 7

Asse

t or p

roce

ss 8

Asse

t or p

roce

ss 9

Asse

t or p

roce

ss 1

0

Asse

t or p

roce

ss 1

1

Asse

t or p

roce

ss 1

2

Asse

t or p

roce

ss 1

3

Asse

t or p

roce

ss 1

4

Asse

t or p

roce

ss 1

5

criti

cal

impo

rtant

crit

icity

med

ium

crit

icity

smal

l crti

city

V_2. Vulnerability audit

V_2.1. Questionnaire An important questionnaire gathering several hundreds of questions has

been created and implemented thanks to the return of experience of Thales but also thanks to the classical vulnerabilities that were found in the different methodologies studied.

When filling this questionnaire, it is possible to obtain a scheme representing the actual level of security but also the target levels (objectives), i.e. the purpose in terms of security.

The questionnaire gathers questions in several categories. The first categories are the one of the HELP offer: human, environmental, logical and physical.

Then, these first categories are divided into new ones more specific to the company.

Here is an example of a question and its calculations.

Question Remarks Percentage Coefficient (1-4)

Vulnerability level Objectives

Ex: Is the site totally enclosed?

Holes in the enclosure 50 % 4 2 4

The first two columns are quite easy to understand. The different questions are really small and easy to understand. Then, the column named percentage is actually the level of this answer from No (value 0%) to Yes (value 100%). The fact that there are some small holes in the enclosure here makes the answer be 50% and not 100%.

Then, the coefficient is linked to the importance of the question. Here, it has the maximum value because the enclosure is really important to deter thieves and malevolent people to enter the company’s site. The vulnerability level is then the combination of the coefficient and the percentage. This calculation is performed by the tool itself. The coefficients are already put in the tool. Finally, the objectives column represents the value that should be reached by the company. Here, of course, the site should be well enclosed and thus the value is 4!

The value of the objectives column should be determined with the company thanks to the return of experience of security risk manager but also thanks to common sense (in the example taken here for instance)

All the questions are gathered in different categories and there are average values that are computed in the tool so as to give the following scheme.

V_2.2. Scheme Here is an example of a possible scheme obtained thanks to the vulnerability

audit questionnaire.

Vuln

erab

ilitie

s

012345678P

- AC

CES

S C

ON

TRO

L

P - G

UAR

DS

P - V

ISIT

OR

S AN

D D

ELIV

ERIE

S C

ON

TRO

L

P - S

ECU

RIT

Y O

F TH

E SI

TE

E - P

OLL

UTI

ON

E - I

ND

UST

RIA

L SE

CU

RIT

YH

- C

RIS

IS M

ANAG

EMEN

T

H -

ACC

IDEN

TS M

ANAG

EMEN

T

H -

OR

GAN

ISAT

ION

H -

HU

MAN

SEC

UR

ITY

L - L

OG

ICAL

SEC

UR

ITY

V_3. Vulnerability board Here is an example of the organisation of a vulnerability board. This board

gathers the most important categories of vulnerabilities. As a matter of fact, the vulnerability audit and the risk analysis board have permitted to determine and gather all the vulnerabilities of the company and its assets.

Then, the vulnerabilities are classified and gathered in different categories so as to simplify the improvements. Many vulnerabilities can actually be resolved by only one measure, for example, when there is a problem of security organisation. These categories are given a priority linked to the qualification of the risk: a vulnerability causing a critical risk will be an important vulnerability.

The board helps to see quickly what are the most important vulnerabilities that have to be resolved as soon as possible.

HELP CATEGORY OF VULNERABILITY VULNERABILITIES PRIORITY

Roles and responsibilities * Important

Accidents management * Important

Human resources * Small

H - Human vulnerabilities

--

Security Organisation

Resilience, crisis management * Medium

Pollution – 1 * Important

Pollution – 2 * Medium E -

Environmental vulnerabilities

Back-up * Medium

L - Logical vulnerabilities Passwords * Important

Enclosures * Small

Building 1 security * Medium

Building 2 security * Important

All buildings security * Important

P - Physical vulnerabilities

Guards * Medium

V_4. Protection standard sheet Here is an example of the protection standards that are given at the end of

the study. The difference between the actual level of protection and the requested level of protection defines the level of existing vulnerabilities which are necessary for the calculation of the real threat and the qualification of the risk.

Category of vulnerability: Resilence

Crisis management

Lack of check-lists and procedures

Report : The management of a crisis and business continuity in the company are not

enough formalized. There is an obvious lack of procedures which could make employees know what to do in case of a crisis.

Moreover, the broadcasting of information will not be done in an efficient way if a crisis would happen. As a matter of fact, employees would not know what is the most important information necessary to take good and quick decisions.

Otherwise, the list of phone numbers is never updated and lots of the numbers are no longer working

Finally, it would be necessary to have check-lists of the first actions to do in case of a crisis for each kind of employees.

Identified risks : Here are the identified risks for the company

o Lack of reaction in case of a crisis o More impacts and worse consequences o Lack of information on what is happening

Recommendations Our recommendations are the following:

o Write and broadcast check-lists gathering the information about the actions to take in case of a crisis

o Create a list of the essential phone numbers. Update this list every month

o Create worksheets regarding the broadcasting of information in case of a crisis

This protection standard sheet is realised for each category of vulnerabilities from the vulnerability board.

V_5. Risk analysis board As a risk is a combination of an asset, a vulnerability and a threat, I have

created a board, called risk analysis board, so as to gather all the risks that the company should deal with. It also shows the results of step 2 and step 3. The way the board has to be filled in is described here.

V_5.1. Global threat There is a quantitative data, called global threat linked to each threat. This

global threat corresponds to the probability of the threat. Its value goes from 1 (the threat practically never occurs) to 4 (the event is very likely to happen). These data are evaluated thanks to interviews and put in the column Global Threat, in the risk analysis board.

V_5.2. Attractiveness This attractiveness represents how interesting an asset is for an aggressor

point of view. This notion is only applicable with malevolent actions of course as accidents do not choose to happen.

The attractiveness is linked to the nature of the asset. The attractiveness depends both on a threat and on an asset. It does not depend on the protection measures that already exist to protect the site.

The attractiveness value goes from 1 to 4, just like the global threat. It is determined thanks to interviews, common sense but also by the return of experience of consultants.

V_5.3. Vulnerabilities The vulnerabilities of the asset are its weaknesses. These weaknesses are

physical, organisational, human, environmental and logical ones. They come from the vulnerability audit and also from the observations made during visits in the company.

This board gathers all the vulnerabilities of a company and links them to specific assets and threats so as to determine and emphasize the potential risks.

V_5.4. Vulnerability level The vulnerability level is evaluated by comparison to the protection

standards.

V_5.5. Impact The impact is the first criterion for the determination of the risk level. It is

determined by a combination between the criticity of an asset (its security needs) and the level of the threat and its potential consequences. For example, a fire has a huge impact as it can destroy everything, even the infrastructure. The value of the impact goes from 1 to 4 again.

V_5.6. Real threat The real threat is a combination of the global threat, the attractiveness,

and of the existing and actual protection level of the asset regarding a specific

threat. This combination gives a value of the real threat which is one of the criteria necessary to qualify the risk. Its value goes from 1 to 4.

V_5.7. Qualification of the risk The qualification of the risk is given thanks to the following scale:

Scale for Impact Scale for the real threat

1 2 3 4

1 Weak Weak Weak Medium 2 Weak Medium Medium Medium 3 Medium Important Important Important 4 Important Critical Critical Critical

This qualification of the risk reinforces the notion of impact. As a matter of fact, as soon as the impact is important, then the risk must not be underestimated. This is why a risk with an impact of 4 is at least an important risk. This qualification of the risk helps to classify and prioritize the different risks and therefore to give priorities for the different recommendations that are going to be given at the end of the study.

The example of the risk analysis board is presented on the next page.

Vu

lner

abili

ty

leve

l Im

pact

R

eal t

hrea

t

Ris

k

AS

SE

T

Thr

eat

Glo

bal

Thr

eat

Attr

activ

enes

s Vu

lner

abili

ties

Impa

ct

Va

lue

Valu

e Va

lue

Q

ualif

icat

ion

Thre

ats

Vuln

erab

ility

1

Vuln

erab

ility

2

Vuln

erab

ility

3

Vuln

erab

ility

4

Vuln

erab

ility

5

Vuln

erab

ility

6

Vuln

erab

ility

7

Vuln

erab

ility

8

Res

ervo

ir of

co

al

Volu

ntar

y fir

e 2

4

Vuln

erab

ility

9

Expl

osio

n an

d fir

e an

d de

stru

ctio

n of

oth

er

infra

stru

ctur

es

2 4

2

Crit

ical

Exam

ple

of a

n as

set s

tudi

ed in

the

risk

anal

ysis

boa

rd

V_6. Miscellaneous

V_6.1. List of threats A list of threats has been established thanks to all the methodologies that have

been studied. This list is a basis necessary to work with the company and to select the different threats that are going to be taken into account in the study.

V_6.2. Risk Analysis questionnaire A small questionnaire has been built for this important part of the work. This

questionnaire gathers the most important questions that have to be asked to the company so as to determine their most important threats and vulnerabilities. The employees are often conscious of their weaknesses and it can be a good way to understand and imagine the potential risks the company should take into consideration.

VI_ Further discussion There are some important points that should be added for the better analysis

of the report. The methodology that has been created is completely based on the existing risk assessment methodologies. Taking the best characteristics of each methodology and of each interview and gathering these characteristics in the new methodology was the purpose of this project. Some characteristics are not present in the new methodology but nonetheless, the final methodology gathers the following advantages that appeared in the existing methodologies:

o The definition of a risk (threat + target + vulnerability) from the Bouvier’s methodology

o The definition of security needs from Bouvier and EBIOS o The vulnerability audit questionnaire with clear diagrams and a

target level of protection from MARION and ISO 17799 o The definition of the concept of attractiveness and the concept of

security return on investment from the confidential methodology o The importance of the security frame of mind and of the return of

experience as general principles from the interviews with the counter admiral Girard

o Security as an iterative process as suggested by Guy Dubois o The clear and simple application tools as suggested by Thomas

Lebouc o The organisational part of security from the interviews with Yves le

Dauphin This methodology is thus a gathering of many points of view. The main

difficulty was therefore that there were too many different points of view that were to be taken into consideration. It was thus impossible to include all of them in the new methodology. It is thus not a perfect methodology as there are some elements that were positive in other methodologies and that could not be implemented here for coherence and practical reasons. For example, the fact that reports are automatically generated with the EBIOS methodology could not be implemented in the new methodology. Moreover, some drawbacks are still present such as the difficulty to compute the security return on investment. Moreover, as the methodology has only been applied twice on two different sites that were highly similar, it is thus still a really young methodology. The running of the methodology as well as the application tools that have been created are thus going to change and evolve in a continuous improvement development.

Another difficulty was my lack of experience for the running of this project which made me lose a lot of time at the beginning of the internship as I had to learn everything concerning risks, vulnerabilities, threats, targets and so on. I had a lot of difficulties to create this methodology in a theoretical way and the application on two industrial sites really helped me to understand things and concepts in a better way and to create a more relevant methodology applicable on a practical case study. Some of the application tools may surely be more oriented towards a specific kind of missions, for example risk assessment on industrial sites. This is surely a problem

but these application tools can be easily improved and updated just by adding information for other missions.

The sources of information were quite reliable in general and did not cause a lot of problems. Many different people were involved and only the main interviews have been described here. As a matter of fact, all the consultants of the consultancy division of Thales Security Systems have been more or less interviewed in a formal or informal way. This methodology reflects the point of view of the whole consultancy division.

The application work that has been realised could have been done with other existing risk assessment methodologies so as to compare with other ways of assessing the risk. Perhaps, it would have been better to have other kinds of risk assessment methodologies for example methodologies of industrial companies, but these companies want to keep their methodologies as secret as possible and I was not able to have access to these methodologies.

Confidentiality was another annoying part of this report and of the whole internship as it deterred me from exposing some details and results in this report but also from getting information when I was doing my internship. This is a really secret domain and that is why my study was mainly based on public risk assessment methodologies like EBIOS and Marion. This is surely one of the main drawbacks of the work that has been realised during this internship.

Conclusion Thales is a huge company dealing with security. This company wanted to

create a new methodology linked to its commercial offer called HELP. The internship realised during 10 months had this methodology as a purpose. So as to fulfil this purpose, several methodologies have been studied and a lot of interviews have been realised. Moreover, a draft methodology has been applied practically on two different sites of the company Suez so as to create application tools. The goal has thus been reached. A methodology has been created related to the different wishes of the company. As a matter of fact, the new methodology seems to gather a great part of the different advantages of the studied methodologies as well as advises from the specialists interviewed.

Nonetheless, this new methodology is far from the perfection. There are a lot of potential improvements. For example, it would be important to test the methodology again and again so as to confirm that it is applicable on every type of sites, and also to update it and improve it. Otherwise, the last step of the methodology has not been tested because of a lack of time. It is thus not known yet whether the calculation of the return on investment is efficient or not. Moreover, this part is not reliable yet because no application tools have been implemented and the calculation of the costs of the risks seems really difficult to realise as too many parameters should be taken into account. This budget part of the methodology is thus a huge drawback but it is essential to emphasize that this notion of security return on investment is quite new as well as the costs of a risk concept.

One point that is important to underline also is that the methodology is still not known by companies and it is hard to find customers for the application of a quite new methodology. Therefore, it cannot be sold at a high price nowadays and it thus cannot be applied by experienced consultants. Therefore, the methodology has to get known so as to be applied more and to become an important commercial argument for Thales.

Nonetheless, this methodology is a first step in a commercial offer which promises to be powerful as soon as it is ready. A long time is necessary between the creation of a methodology and the first official contract but it is surely worth waiting for a while.

Bibliography o AFNOR, ISO/CEI 17799:2005, June 2005 o Bouvier P., Integrated Security Risk Management ; Part 2 : The Risk

Analysis, December 2004. o Bouvier P., Thales Security Systems, interviews, 2005-2006 o Cesar Consulting, Le Dauphin Y., Anticiper et gérer le risque social,

November 2005 o DCSSI, Expression des Besoins et Identification des Objectifs de

Sécurité Mémento, 2004, http://www.ssi.gouv.fr/fr/confiance/documents/methodes/ebiosv2-memento-2004-02-04.pdf [January 2007]

o Developpez.com, Normes de sécurité : les méthodes d’analyse de risques, EBIOS, 2005, http://cyberzoide.developpez.com/securite/methodes-analyse-risques/ [January 2007]

o Developpez.com, Normes de sécurité : les méthodes d’analyse de risques, MARION, 2005, http://cyberzoide.developpez.com/securite/methodes-analyse-risques/ [January 2007]

o Dubois G, Thales Security Systems, interviews, 2005-2006 o Girard G., Counter-Admiral, editor of the review “Défense national et

sécurité civile” interviews, 2005-2006 o Le Dauphin Y., Cesar Consulting, interviews, 2005 o Lebouc T., Thales Security Systems, interviews, 2005-2006 o Pesch G.., Thales Security Systems, interviews, 2005-2006 o Teamlog, La méthode Marion, 2003,

http://www.securite.teamlog.com/publication/4/5/164/ [January 2007] o Thales, Annual report 2005, Overview page 3,

http://www.thalesgroup.com/all/pdf/Thales_uk_2005.pdf [January 2007] o TSS - Thales Security Systems, Comprehensive information system

security, http://www.thales-security.com/download/pdf/brochures/Brochure%20IT%20security%20VA.pdf [January 2007]

o TSS - Thales Security Systems, Domaines, http://www.thales-security.com/index_fr.php [January 2007]

o TSS - Thales Security Systems, Identité, http://www.thales-security.com/fr/a_propos/identite.php [January 2007]

o TSS - Thales Security Systems, Présentation conseil, http://www.thales-security.com/fr/domaines/conseil/presentation.php [January 2007]

o TSS - Thales Security Systems, Site and Public event Security, http://www.thales-security.com/download/pdf/brochures/Site%20and%20event%20English.pdf [January 2007]

o TSS, ISO full, 2005

TRITA-IM 2007:13 ISSN 1402-7615 Industrial Ecology, Royal Institute of Technology www.ima.kth.se

Creation of a Risk Assessment Methodology - DiVA …411977/FULLTEXT01.pdf · Thales Security...

Documents

Transcript of Creation of a Risk Assessment Methodology - DiVA …411977/FULLTEXT01.pdf · Thales Security...