IIS 2006

Development and implementation of Development and implementation of metrics for information security risk metrics for information security risk

assessmentassessment

Mario Sajko

mario.sajko@gmail.com

IIS 2006

Risk Assessment

An unavoidable method for information security improvement

Widely accepted as an instrument for information security managing and analysis

Way to determine the required investment into security

IIS 2006

Risk Metrics

A system of gathering, assessment, measuring and comparing data that indicate the way, results, condition and consequences of risk factors

A system of measured sizes transformation and presentation of risk value in a way suitable for reporting to management

A system which answers the question which information will be gathered, which statistics will be performed, how the information will be gathered and where and when it will be gathered

IIS 2006

Example of different risk assessment approaches

Metric Risk functionM.Krause [threat]×[vulnerability]× [assets value]

FMEA [S]×[O]×[D]

CRAMM [value]×[ threats]×[vulnerability]

RuSecure Vulnerability, value, influence, frequency and possibility to work,

FRAP [Vulnerability], [business Impact]

NIST Ranks matrix [Vulnerability], [threats]

ISO Assets threats, probability of threats appearance, assets vulnerability, existing protection ,

Octave [assets] ×[threat] ×[vulnerability]

COBRA Relative relationship

What-if Subjective assessment

ALE

IIS 2006

Actual risk assessment practice

Risk factors are combined and assessed in different ways

The consequence is different calculation of risk size By using different methods we can obtain different risk

values over the same group of assessment subject

What is put in doubt is cost determination and quality of assessment

IIS 2006

Why there are differences among risk assessment methods

Different is coordination of technological and organization components of a security system and their combining in the entire risk size

Different is combining of the existing information about the infosec features

Different is the way of transforming the inputs into risk assessment sizes and values

IIS 2006

The problem can be solved !

Combining different forms of metrics values into metrics system

Establishing the kind of transforming input data about security state into information about risk value

Coordinating risk function with security goal and information resource features

Establishing connections among individual metrics with different areas of IT infrastructure into an

integral system

IIS 2006

Infosec risk dimension

The proportion of a particular dimension in metrics system depends on the type of information assets as well as security goals of a company

Can not be resolved in advance

IIS 2006

Risk metrics features

Immeasurable sizes should be turned into measurable

Subjective indicators should be turned into objective

Horizontal measure connection

Vertical measure connection

Results should suggest some changes and improvements

IIS 2006

To turn immeasurable sizes into measurable The rule indicates the need that the risk

factors for observed assets have to be expressed in any way whatever it seems difficult or even impossible

What is recommended is the use of group assessment methods

IIS 2006

To turn subjective indicators into objective ones The rule indicates that risk indicators should

be made more exact and they should also be quantified

Subjectivity in assessment is specially highlighted in descriptive risk expression

What is recommended is transformation by numeric ranks (1-5; 1-10; and similar.), relative sizes (%) or absolute values (frequency, probability)

IIS 2006

Horizontal relationship between measures It determines the cumulating of assessment result on

the particular level Level Level Point Meaning

100% Very high 1 Incident realisation is very

achievable

75% High 2 Possibility for incident realisation is high

50% Medium 3 It is considered that there is possibility for realisation of security incident

25% Low 4 Incident realisation risk is very low

(0%) Lowest 5 There is very low possibility that incident will take place

Different expressed results for each level of assessment must be aligned and cumulated in order to determine amount of risk.

IIS 2006

Vertical relationship between levels of assessment Means that on each superior level, a metric system should

be able to coordinate risk information about subordinate level according to different type of assessment and using metrics type

IIS 2006

Results should suggest some changes and improvements The presented assessment results should indicate

the trend, changes in time period and be able to foresee the future condition.

The graphic design techniques that are recommended

The risk reports should not be too detailed It is recommended to express the assessment

results in quantitative terms.

(risk tolerant < AssessedRisk < risk critical - does not mean much)

IIS 2006

Security metrics system implementation

Stage of actual security program identification and critical inf. assets

Finding out the risk factors that will be assessed and can be established for targeted inf. assets

Assessment or assignment of similarity intensity (qualitative, descriptive, quantitative) to security features andRisk size presentation

IIS 2006

CONCLUSION

There exist risk size dependency on metric type and way of metrics utilization

Discovery and gathering of some particular information for metric are difficult because of the nature of inf. assets that are being assessed

It is still open question which risk metric assessment should be used in specific situations

There is still unsolved question of modeling and development of metrics system as well as the question of metric quality

The company has to determine suitable metrics system for its security program.

IIS 2006

The benefits of this work

Definition of 5 features or so-called "good metrics principles“ Some general suggestions for implementation program

Metric coordination with security program Determined responsibility for metric program Defined relationship among the measures (measuring

consistency with the object of measuring and use of the corresponding metric type)

Assessment of only important factors (assessment of less important risk factors not only “spoils” the assessment results but also turns our attention from more important information)

Metrics system development process in a few key stages