Performance And Analysis Of Risk Assessment Methodologies In Information Security

Transcription

1 International Journal of Computer Trens an Technology (IJCTT) volume 4 Issue 10 October 2013 Performance An Analysis Of Risk Assessment ologies In Information Security K.V.D.Kiran #1, Saikrishna Mukkamala *2, Anueep Katragaa #3 Dr.L.S.S.Rey* 4 #1 Faculty,Computer Science an Engering KL EF University(KLU) Vaeswaram,Inia. * 2 Stuent,Computer Science an Engering KL EF University(KLU) Vaeswaram,Inia. #3 Stuent,Computer Science an Engering KL EF University(KLU) Vaeswaram,Inia. Professor,Computer Science an Engering KL EF University(KLU) Vaeswaram,Inia Abstract This stuy equates a choice of methos that allow an organization to weigh their information security risk. The initial moels went through two selection iterations before we en up with the final three fully stuie moels. The main purpose of the stuy is to compare an clarify the ifferent activities, inputs an outputs require by each information security risk assessment moels an also analyse which ones aress information security risk effectively. The resulting information helps evaluating the moels applicability to an organization an their specific nees. In orer to verify an valiate the conclusions taken from the theoretical stuy of the three final moels, a practical experience was put into practice in a real organization. Keywors Risk Assessment Moels, Information Security Risk, Information Security, Risk Assessment, Risk Assessment Moels Comparison. I. PROBLEM Most of the organizations fin it ifficult an costly to eal with the Information Security in a proper way. When a new vulnerability or a new virus is recognize or etecte, the consequences can be comprehensive on the fly. In aition, it is clear that interoperability between organizations is significant an will become more important in the future. To provie fast an suitable response to security incients an to ensure interoperability between organizations, there is a nee for a systematic an pre-ef tactic to eal with Information Security challenge. II. INFORMATION SECURITY RISK ASSESSMENT Information security risk assessment is the progression that ientifies an valuates the risks to information security by efining the likelihoo of occurrence an the resulting impact. It uniquely recognizes threats, categorizes assets an rates system vulnerabilities as it provies key information an strategies to implement effective controls. III. INFORMATION SECURITY RISK ANALYSIS Risk analysis ( or Ientification ) generally involves : Ientification of assets: Information (atabases an ata files, contracts an agreements, system ocumentation, research information, user manuals, training material, working or support proceures, busss enurance plans, fall back arrangements, auit trails, an archive information); Software Assets (applicationsoftware,system software, evelopment tools, an utilities); Physical Assets (computer equipment, communications equipment, removable meia, an other apparatus);services(computing an communications services, general utilities, e.g. heating, lighting, power, an air-conitioning); People, an their qualifications, skills, an experience; Intangibles, such as promnce an image of the organization. Ientification of legal an busss requirements relevant for the ientifie assets. Collecting all policies, proceures an controls currently in place. Assess whether or not the existing policies, proceures an controls implemente are satisfactory. Ientification of substantial threats or risk sources. These threats can be fragmente into Human an nhuman elements. (Acts of nature, acts of war, accients, among others malicious acts originating from insie or outsie the organization). Ientification of vulnerabilities for the ientifie assets. Asset is ef as whatever having value to an organization. Threat is a latent cause of an unwante incient, which may consequence harm to a system or organization. ISSN: Page 3685

2 International Journal of Computer Trens an Technology (IJCTT) volume 4 Issue 10 October 2013 Vulnerability is a weakness of an asset or group of assets that can be exploite by one or more threats. It is the susceptibility to injury or attack. In computer security, the term vulnerability is applie to a weakness in a system which allows an attacker to intrue upon the integrity of that system. A requirement is a singular ocumente nee of what a specific asset shoul be, o or respect. Impact can be ef as the severity of the consequences of an event or incient. In the backgroun of information security, the impact is a loss of availability, integrity, an confientiality of information. Likelihoo is the probabilities of a threat to show up. An besies this relation, we shoul remin ourselves that given enough time an etermination, people can circumvent almost every security measure. They can be extremely creative when intereste. Therefore this motivation factor shoul be seriously aresse in the information security risk assessment course. In aition to this relation, new threats an vulnerabilities are unceasingly appearing an when consiering risks to information infrastructures, the number, type, an variation are overwhelming. Despite being har to keep up with all these new vulnerabilities an threats, they nee to be manage satisfactorily or else the organization future an existence can be enangere. Fig 1: Information Security IV. INFORMATION SECURITY RISK EVALUATION Risk evaluation or estimation is the process use to assign values to consequences, their likelihoo an to the level of risk. It involves: i. Assessment of the probability of the threats an vulnerabilities to ensue; ii. Calculation of the effect that each threat woul have on each asset; iii. Determination of quantitative (measurable) or qualitative (escriptive) value of risk. One significant thing to take into thought is that these three variables rarely are penent from each other. In information security, there s a possible relation between asset value, impact an probability. For example, it s more likely a hacker will exploit a vulnerability that causes a bigger impact than one with small impact. Likewise, a valuable asset has more probability of being compromise than a valueless one. Therefore, in this fiel we have to take into consieration more than simply ranom or unintene acts. V. A COMPARATIVE ANALYSIS ON INFORMATION SECURITY RISK ASSESSMENT MODELS There are several moels an methos with ifferent approaches that ai in the risk assessment process. This stuy will aress the methos that support the risk assessment process an those which can be applie to information security. Thus, methos that are not classifie as risk assessment or risk management oriente or that are general management oriente (i.e. corporate governance) frameworks like Coso, Cobit or Basel II have been let off from the stuy. High-level reference ocuments like the ISO Guie 73 are also not taken into thought in this section. Risk assessment moels can be separate into quantitative an qualitative. 1) Qualitative vs. Quantitative Moels: Risk assessment moels can be parte into quantitative an qualitative. Quantitative moels use measurable, objective ata to eterm asset value, probability of loss, an accompanying risk(s). The goal is to try to calculate objective numeric values for each of the components gathere uring the risk assessment an cost-benefit analysis. Qualitative methos use a relative measure of risk or asset value base on ranking or separation into expressive categories such as low, meium, high; not important, important, very important; or on a scale from 1 to 10. A qualitative moel evaluates the impact an likelihoo of the ientifie risks in a rapi an cost-effective manner. The sets of risks recore an analyse in qualitative risk assessment can provie a founation for a attentive quantitative assessment. Both qualitative an quantitative approaches to security risk management have their avantages an isavantages. Certain ISSN: Page 3686

3 International Journal of Computer Trens an Technology (IJCTT) volume 4 Issue 10 October 2013 situations may call for organizations to implement the quantitative approach. Alternatively, organizations of small size or with limite resources will probably fin the qualitative approach much more to their liking. The following table abriges the benefits an rawbacks of each approach: TABLE I ADVANTAGES Quantitative Qualitative Risks are prioritize by Enables visibility an financial impact; assets unerstaning of risk are prioritize by ranking. financial values. Easier to reach Results facilitate consensus management of risk by t necessary to return on security quantify threat investment. frequency. Results can be t necessary to expresse in management-specific eterm terminology (for financial values of example, monetary assets. values an probability Easier to involve expresse as a specific people who are not percentage). experts on security or Accuracy tens to computers. increase over time as the organization buils historic recor of ata while gaining experience. TABLE II DISADVANTAGES Quantitative Impact values assigne to risks are base on subjective opinions of participants. Process to reach creible results an consensus is very time consuming. Calculations can be complex an time consuming. Results are presente in monetary terms only, an they may be ifficult for nontechnical people to interpret. Process requires expertise, so participants cannot be easily coache through it. Qualitative Insufficient ifferentiation between important risks. Difficult to justify investing in control implementation because there is no basis for a cost benefit analysis. Results are epenent upon the quality of the risk management team that is create. inclues a thorough stuy of the most relevant moels an a comparison between those same moels. 2) Moel Selection : There are several moels an methos that help in the risk assessment process. This stuy will aress the methos that support the risk assessment process an those which can be practical to information security. Therefore, methos that are not classifie as risk assessment or risk management oriente or that are general management oriente (i.e. corporate governance) frameworks like Coso, Cobit or Basel II are not consiere in this stuy. High-level reference ocuments like the ISO Guie 73 are also not taken into consieration as risk valuation moels. This ocument provies an outl of existing Information Security Risk Assessment methos, an a comparison that evaluates those ifferent methoologies. It aims to escribe an compare properties of Information Security Risk Assessment methos in a concise manner. Unless otherwise state, the wors moel an metho are use in this ocument to refer to an information security risk assessment metho or moel, though often times the full phrase is also use. After a perio of some research some moels were ientifie as suitable for evaluating information security risk. These moels are the following: i. OCTAVE ii. Mehari iii. MAGERIT iv. IT-Grunschutz v. EBIOS vi. IRAM vii. SARA viii. SPRINT ix. ISO x. NIST SP xi. CRAMM xii. MIGRA xiii. MAR xiv. ISAMM xv. GAO/AIMD xvi. IT System Security Assessment xvii. MG-2 an MG-3 xviii. Dutch A&K Analysis xix. MARION xx. Austrian IT Security Hanbook xxi. Microsoft s Security Risk Management Guie xxii. Risk IT As was state before, this is a non-exhaustive list. VI. EXISTING MODELS 1) Introuction : This chapter eluciates clearly how the stuy was carrie out. It exposes the methos an processes use to o the comparative stuy starting with a substantial list of information security risk moels. The chapter 3) First Iteration Selection Criteria : In the last section 22 risk assessment moels were acknowlege. However, some of them are more aequate to assess information security risks than others. Therefore, this first selection iteration plays to exclue some of the moels base in a criteria escribe below. These criteria assess four essential moel features. If a ISSN: Page 3687

4 International Journal of Computer Trens an Technology (IJCTT) volume 4 Issue 10 October 2013 moel oesn t hol any of those properties it will be exclue from the universe to stuy. The criteria use in this selection iteration are the following: /Guiel Is the moel really a metho? Or just a stanar or guiel? is ef as an orerly arrangement of parts or steps to achieve an en, a regular an systematic proceure of accomplishing something. Guiels are avice or instructions given in orer to guie or irect an action. A stanar is a set of rules wiely recognize or engage (especially because of its excellence) that control how people evelop an manage materials, proucts, services, technologies, tasks, processes, an systems. Exclue the moel if it isn t a metho. Ientifies Information Security Risks Does the ocument ientify Information Security Risks? Information security means guaring information an information systems from unauthorize access, use, isclosure, isruption, moification or estruction. The Security Risk level of a system is a mixture of the importance of maintaining the Availability that system, the Integrity of ata house on or manage by that system an the Confientiality of sensitive information eposite on that system. Exclue the metho if it oesn t ientify Information Security risks. Price an availability of ocumentation Is the information publicly avai sufficient to properly evaluate an compare the moel with others? Does the information comfort to answer all criteria questions? What s the assesse price to obtain all ocumentation an tools neee to implement the moel? Exclue the moel if it is unavai or too har/expensive to purchase. Last review When was the moel last revise or upate? Exclue if iscontinue, obsolete or not upate/reviewe in more than a ecae. Name OCTAVE Mehari MAGERI T IT- Grunschu tz EBIOS NIST SP CRAMM MIGRA MAR ISAMM GAO/AIM D IT System Security Assessmen t MG-2 an MG-3 Security Risk Manageme nt Guie Austrian IT Security Hanbook or Guiel? Stana r an Guiel Guiel Guiel s an Case Stuie s Guiel Guiel Guiel Guiel Ienti fier IS Risks Docum entatio n? Expens ive Expens ive Last Revie w N/A 2 n Iterati on? N/A N/A N/A N/A 4) Criteria Applie to Each Moel : After the efining the selection criteria, each moel was scrutinize an evaluate using those criteria. ISSN: Page 3688

5 International Journal of Computer Trens an Technology (IJCTT) volume 4 Issue 10 October 2013 Microsoft security risk manageme nt guie Risk Dutch A&K Analysis MARION Guiel Frame work Up to ate Availa ble N/A Obsol ete Obsol ete 5) Chosen s : As a result of applying the 4 criteria escribe above, 16 of the 22 initial moels were exclue. These moels in t conform with one or more criterion an for that reason they won t be stuie in more unerstaning. netheless, six moels were in conformance with all the criteria. These moels are: Octave,Mehari, Magerit, IT-Grunschutz, Ebios an IRAM. Only these moels will be measure after this point. 6) Secon Iteration Selection Criteria : Despite having reuce the initial universe of moels to almost one fourth, six is still a significant number of moels to stuy in etail (consiering the present time an people limitations of this work). Therefore, the universe of moels will again be reuce through another set of stanars. The 5 selecte criteria are escribe below: Complexity, Effort an preparation This criterion tries to reflect the level of preparation, information, effort an skills neee to implement the moel, an the level of etail an scope of the risk analysis results. To express this criterion in a more quantitative manner, moels are classifie uner three levels of complexity: Little grounwork neee; less etail/accuracy in the output. Quick assessment; Some preparation neee; meium output etail/accuracy. Broa preparation an effort neee; more etail/accuracy on the output. Approach of the moel The risk assessment approach each moel avocates (e.g. self-assessment, interviews, workshops). This criterion oesn t preten to analyse the approach in great etail. It will only consier the main ieas an strategies of each moel. A more comprehensive analysis will take place in the next section. Tools If the moel provie supportive tools an how can we obtain them. This criterion is ivie into the following categories: tool; Pai tool (but with a trial perio); Pai tool (with no trial avai); software tool but has supporting ocumentation(e.g. worksheets,questionnaires, forms); supporting tools. Origin In this stuy three likely sources for a moel were consiere. These entities can be: Acaemic; Governmental; Commercial. Geographical sprea Countries in which the moel is known to be implemente. 7) Comparison Criteria : This section familiarizes the criteria that will be use to evaluate an compare the three information security risk assessment moels in more etail. Some of the moels characteristics were alreay analyse uring the selection process escribe above. Some of these assessment criteria are similar to the criteria use before, but in this section the moels will be analyse in more complexity. Below we have the escription of the new set of criteria: Concept efinition This criterion pretens to clarify an istinguish the three information security risk assessment moels by ientifying an escribing their basic an most relevant concepts. It evaluates the resemblances an ifferences between the concept efinitions each moel proposes. The concepts that will be uner evaluation in this stuy are: Risk, Asset, Vulnerability, Threat, Impact, Control (or Risk Treatment), Resiual Risk, an Security Requirements or Objectives. Approach to information security assessment The risk assessment approach each moel avocates (e.g. self-assessment, interviews, workshops). This measure analyses the approach with greater etail than the previous section analysis an also compare the three final moels consequently. To assess the approach at this stage moels are characterize uner the following aspects: Description (of the approach) Main activities How risk is calculate Results an output This criterion analyses the etail of each moels output after the risk assessment is complete. It tries to evaluate the quality, clarity of the information prouce. It also ifferentiates moels that generate qualitative an quantitative ata, an moels that recommen information security controls of countermeasures, allowing the organization to continue the risk management course. ISSN: Page 3689

6 International Journal of Computer Trens an Technology (IJCTT) volume 4 Issue 10 October 2013 Complexity This criterion tries to reprouce the level of preparation, information, effort an skills neee to implement the moel, an the level of etail an scope of the risk analysis results. This criterion was also use in the selection process, but in this section the final moels will be equate in more etail. To asses this level moels are characterize uner the following aspects: Level of etail; Inputs / Preparation neee (ease of gathering the neee information); Techniques; People involve; Effort; Time; Skills neee; The above mentione criteria will be applie to the three moels in the following sections. 8) Results an Output OCTAVE The information prouce after unertaking the OCTAVE methoology is the following: Critical Assets; Security Requirements for Critical Assets; Threats to Critical Assets (incluing the concerns to an organization if a threat is realize) Risks to Critical Assets (the risks are a simple quantitative measure of the extent to which the organization is stuck by a threat. This relative risk score is erive by bearing in min the extent to which the consequence of a risk impacts the organization against the comparative importance of the various impact areas, an possibly the probability) IRAM IRAM methoology generates the following information an reports: Phase 1: Busss impact rating an assessment summary forms; Phase 2: Threat an vulnerability assessment reports, etaile security requirements report; Phase 3: Control evaluation an selection reports; BIA Summary T&VA Summary CS Summary IRAM s approach helps to ef the criticality an promnce of information systems. IT-GRUNDSCHUTZ Relation between main IT applications, their protection requirements an the rationales behin the assignment of protection requirements categories. IT assets uner evaluation (busss-critical information an IT applications) mappe with IT-Grunschutz moules. IT security/risk level of the organization (obta through a security check that verifies if appropriate security methos are implemente or not) provies etaile technical commenations 9) Complexity : OCTAVE Level of etail There are ifferent OCTAVE methos base on OCTAVE Criteria. The methos are precise guiels for implementation planning with a goo level of feature but with no technical etails. Inputs / Preparation neee Obtain management support an allot appropriate organizational assets to the process. Evaluation Scope (the extent of each evaluation must be ef); Establish risk evaluation measures accoring to the organization; Ientify the people that will join in the workshops an interviews. Techniques Workshop-style, collaborative setting an is supporte with guiance, worksheets, an questionnaires, which are involve in the metho. People involve In OCTAVE, an interisciplinary team, calle the analysis team, leas the evaluation. The analysis team shoul contain people from both the busss units an the IT epartment (because information security inclues equally busss- an technology relate issues), an from multiple organizational levels (senior management, mile management, an staff). Effort (time) Some ays or weeks of training are sufficient. Skills neee Busss an IT skills an knowlege. IRAM Level of etail Analyses information risk at ifferent levels of etail epening on factors such as management iscretion, perceive criticality / importance or avai time (e.g. high-level analysis through to etaile analysis). Inputs / Preparation neee Profile of system, Risk Evaluation Criteria, Security Requirements, Impact Areas. Techniques Workshop base (typically conucte with busss an IT staff), Face- to-face interviews, One user guie for each phase, Process oriente, Busss Impact Reference Table (BIRT), ISF threat information inquiry. People involve Busss an IT staff. Effort (time) 3-5 ays (for each system).1-2 weeks per risk analysis. Skills neee Meium level of expertise yesirable (Risk Analysis practitioner, little technical knowlege neee). IT-GRUNDSCHUTZ Level of etail Very etaile (more than 3000 pages). It comprises both common IT security recommenations for establishing an applicable IT security process an ISSN: Page 3690

7 International Journal of Computer Trens an Technology (IJCTT) volume 4 Issue 10 October 2013 etaile technical recommenations to accomplish the necessary IT security level for a specific omain. Inputs / Preparation neee Ientifying the area of application within which the process shoul apply. The information an busss processes that are to be protecte must be ientifie; Ascertaining the ominant conitions; Techniques Has a methoology that emonstrates how the angers liste in the IT-Grunschutz Catalogues [GS-KAT] can be use to carry out an scrutiny of IT risks. People involve Aime at persons responsible for IT operations an IT security as well as IT security officers, experts, consultants an all intereste parties entruste with IT security management. Effort (time) Some weeks of training are enough. Skills neee Specialist (thorough knowlege an experience is require) REFERENCES [1] Sun, L.., Srivastava, R., Mock, T.: An Information Systems Security Risk Assessment Moel uner Dempster-Shafer Theory of Belief Functions. Journal of Management Information Systems, Vol. 22,. 4, Spring 2006: (2006) [2] Alberts, C.: Common Elements of Risk. Technical te CMU/SEI-2006-TN-014, Carnegie Mellon University (April 2006) [3] SPRINT: Risk Analysis For Information Systems, User Guie, Version 1.0. The European Security Forum (1997) Bayne, J.: An Overview of Treath an Risk Assessment. SANS Institute, as part of the Information Security Reaing Room (2002) [4] A Risk Management Stanar. AIRMIC, ALARM, IRM, Lonon (2002) [5] Brewer, D.: Risk Assessment Moels an Evolving Approaches. IAAC workshop, Senate House, Lonon (2000) [6] Jeremy Hilton,Pete Burnap an Anas Tawileh: s for the ientification of Emerging an Future Risk, ENISA (2007) [7] Inventory of risk assessment an risk management methos. ENISA a hoc working group on risk assessment an risk management (2006) [8] W.G. Bornman L. Labuschagne: A Comparative Framework for Evaluating Information Security Risk Management s. Stanar Bank Acaemy for Information Technology,Ran Afrikaans University (2004) [9] Alberts, C. an Dorofee, A An Introuction to the OCTAVE. Software Engering Institute, Carnegie MellonUniversity,USA. ISSN: Page 3691

8 International Journal of Computer Trens an Technology (IJCTT) volume 4 Issue 10 October 2013 ISSN: Page 3692