• No se han encontrado resultados

Índice de títulos

In document Catálogo general (página 139-149)

In this section we illustrate our approach by reporting on the analysis of the central concept  risk  as extracted from the sources surveyed in Section 4.2. An emphasis is placed on the denition of risk and the identication of its associated components. Other characteristics of risk presented in its various denitions [SGF02, DCS04b, Fir03], like, for example, its value, are not currently considered. At the opposite, risk sub-components or related concepts are directly involved in this step. In terms of object modelling [Obj04], the objective of this step is to identify the dierent `objects' or `classes' of the ISSRM domain model. The identication of the metrics, that will be the `properties' or `attributes' of these objects, is done in Chapter 5.

Considering the amount of sources and concepts to study, it is unrealistic to describe in a detailed manner the concept alignment, and every iteration performed for step 1. In this section, we present only the rst iteration of step 1. Further activities involve other iterations, in order to review and improve the results.

Risk management standards

ISO Guide 73 gives the following denition of risk:

Risk: combination of the probability of an event and its consequence. [ISO02b, p. 2]

The AS/NZS 4360 source proposes a very close denition in its glossary:

Risk: the chance of something happening that will have an impact on objectives.

NOTE 1: A risk is often specified in terms of an event or circumstance and the consequences that may flow from it. [AS/04, p. 4]

Both sources show that a risk is composed of two related elements: a cause, called event or something happening; and a consequence, also called impact. This considera- tion is valid to all the risk domains. Next we compare both denitions with the ones from the security domain. Our purpose is a further renement of our analysis.

Security-related standards

In ISO/IEC 13335, risk is dened in the glossary in terms of three involved concepts:

Risk: the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organisation. [ISO04b, p. 2]

The analysis of this denition shows that it is compliant with RM standards be- cause risk is always composed of a cause and a consequence component. However the denition introduces some new concepts: the cause of the risk is presented as the combination of threat and vulnerability, and the consequence is called harm (cf. Table B.1 in Appendix B).

4.3 ISSRM concept alignment 89

- These threats therefore give rise to risks to the assets, based on the likelihood of a threat being realised and the impact on the assets when that threat is realised. Subsequently countermeasures are imposed to reduce the risks to assets. These countermeasures may consist of IT countermeasures (such as firewalls and smart cards) and non-IT countermeasures (such as guards and procedures). - A threat consists of a threat agent, an asset and an adverse action of that threat agent on that asset. - Threat agents are entities that can adversely act on assets. Examples of threat agents are hack- ers, users, computer processes, TOE development personnel, and accidents. Threat agents may be further described by aspects such as expertise, resources, opportunity and motivation.

- Adverse actions are actions performed by a threat agent on an asset. These actions influence one or more properties of an asset from which that asset derives its value. [Com06a, p. 35,53]

Here, the emphasis is placed on the concept of threat. It is dened as consisting of sub-components: threat agent and adverse action acting on assets.

The use of the term risk in security-related standards shows that its denition is more precise than the one proposed in RM standards, but it is nevertheless compliant with the ones given in RM standards. Risk in security standards is the specialisation, in the context of security, of risk in RM standards. The concept of risk is therefore aligned between RM standards and security-related standards in the alignment table (Table B.1). With regards to CC, the concepts of asset and countermeasure are also introduced in the table, because they are related to risk.

Security risk management standards

In ISO/IEC 27001, the concept of risk is not present in the glossary, but in an excerpt of the standard presenting the risk identication step, we nd:

Identify the risks.

1) Identify the assets within the scope of the ISMS, and the owners of these assets. 2) Identify the threats to those assets.

3) Identify the vulnerabilities that might be exploited by the threats.

4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. [ISO05b, p. 4]

Regarding ISO/IEC 27005, the denition of risk, proposed in the glossary, is:

information security risk

potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organisation.

NOTE: It is measured in terms of a combination of the likelihood of an event and its consequence. [ISO08, p. 1]

These denitions are very close and compliant in terms of concepts involved in ISO/IEC 13335.

NIST standards also propose a dierent denition for risk:

Risk: The net mission/business impact considering (1) the likelihood that a particular threat source will exploit, or trigger, a particular information system vulnerability and (2) the resulting impact if this should occur. [SHF04, p. A-2]

In terms of involved concepts, risk is once again dened with the help of three components that are threat source, vulnerability and impact. The concept of threat is dened as the combination of a threat-source, its motivation (for human threat) and threat-actions, like hacking, social engineering, or system intrusion [SGF02, p. 14].

The IT-Grundschutz [Bun05b] is less explicit in terms of concepts involved for risk. The emphasis is put on the value of risk.

Risk

A risk is the prediction of possible damage, often based on calculation, in a negative case (danger), or in a positive case a possible advantage (chance). The definition of damage or advantage depends on the benchmark values.

Risk is also often defined as the combination of the probability of the occurrence of damage and the extent of this damage. [Bun05d, p. 45]

Like in security-related standards, security RM standards increase the precision of the components of risk. The consequence of the risk only diers in terms of associated label or name, sometimes called consequence, impact or harm, but the underlying se- mantic remains the same. However, the cause of the risk is presented as a composition of elements, which are dierent between the sources. We can see dierences and equiv- alences in the alignment table (Table B.1). The concept of asset is often mentioned in the risk denition of security-related standards. However, it is sometimes asso- ciated with the threat [ISO05b], sometimes with the vulnerabilities [ISO04b, ISO08] and sometimes with the impact [Com06a]. A conclusion is that the concept of asset is playing a role in the denition of a risk and should be linked with it. But more investigation about asset is necessary to dene precisely the relationship among risk, its components and the concept of asset. At this stage it is, therefore, not included in the alignment table. A new iteration of step 1 of the research method 4.1, focussed on asset, will help to understand this concept and its role in the ISSRM domain.

Security risk management methods

EBIOS denes the concept of risk as:

Risk: Combination of a threat and the losses it can cause, i.e.: of the opportunity, for a threat agent using an attack method, to exploit one or more vulnerabilities of one or more entities and the impact on the essential elements and on the organisation. [DCS04c, p. 14-15]

This denition in terms of concepts and relationships between them is aligned with the one of an older version of CC (v.2.3) [Com05]. Here, the cause of the risk is called threat and it encompasses vulnerability unlike most of the ISO standards [ISO04b, ISO05b, ISO08] that dene them as related, but separate concepts and at the same level (i.e. both composing risk). The threat in [DCS04b] is therefore composed of multiple subcomponents like threat agent, attack method, attack, etc. Threat in these standards has thus not the same sense as threat in EBIOS. Threat from these standards and threat from [DCS04b] are thus not aligned in Table B.1.

In MEHARI, the absence of a glossary is an obstacle to a clear comprehension and alignment of concepts. However, clues can be found for risk denition within the method.

4.3 ISSRM concept alignment 91

A risk scenario is the description of a malfunction and the way in which the malfunction can happen. The malfunction states the potential damage, or the direct deterioration caused by the malfunction, and any indirect consequences. It is usual to speak of a risk situation, where it is understood that the organisation is potentially exposed to such a scenario. [...]

Each scenario will therefore be described as follows:

- The type of consequence (sometimes in relation with predefined value scale)

- The type of assets implicated by the scenario (sometimes in relation with the predefined critical resources)

- The types of causes that can lead to the risk situation. [CLU07b, p. 13-14]

In MEHARI the term risk is used less often than the term risk scenario for ex- pressing the concept of risk. The cause and the consequence parts of the risk are well respected. A link between risk and assets is also proposed.

OCTAVE provides the following risk denition:

Risk: [...] Risk refers to a situation where a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence. [AD01a, p. 46]

It breaks down into three basic components: asset, threat, and vulnerability. [AD01b, p. 5]

The denition of risk and its components is the same as in CRAMM. In this source, the risk is dened using the Figure 4.2 and followed with the denition:

Security risk: The likelihood of a system’s inherent vulnerability being exploited by the threats to the system, leading to the system being penetrated. [Ins03, p. B-29]

Figure 4.2: Risk representation in CRAMM (adapted from [Ins03])

Three components compose the risk for OCTAVE [AD01b] and CRAMM [Ins03]: threat, vulnerability and the consequence relative to assets. CRAMM gives a clue in its denition of risk for dening attack with respect to a risk. It is the concrete instantiation of the threat using the vulnerability on the target system. Attack is therefore not in the potential domain of RM. Attack is thus not playing a role in ISSRM. It is not taken into account in the ISSRM concept alignment table. Naturally this denition of attack may eventually only apply to CRAMM.

Finally, the CORAS RM method proposes a denition of risk, that is highly related to the concept of unwanted incident:

Risk: A risk is an unwanted incident along with its estimated likelihood and consequence values. [VML+07, p. 313-314]

Unwanted incident: An unwanted incident is an event which reduces the value of one or more of the assets [VML+07, p. 325]

The use of the term event should not be confused with the one used in other sources like [ISO02b, AS/04, ISO04b] designating the cause of the risk. Here event actually denotes the impact of the risk on the organisation. Examples of unwanted incidents are design disclosed to competitor or customer loses trust in [the company] that is characteristic of an impact. Here, the term incident is not used to depict an established safety problem, as it is usually the case in the literature [Fir04, Ins03]. A risk in CORAS is dened as an impact with an associated level of potentiality and consequence. Naturally the likelihood of the impact to occur is highly dependent on the cause of the risk. Further analysis of CORAS also introduces elements associated with the cause of the risk: threat, threat scenario and vulnerability.

Within security RM methods, the concept of risk is once again not universally agreed. First, the methods reinforce the conclusion obtained from RM standards that identify a cause and a consequence part in a risk. However a great diversity is provided in the ne-grained denitions of risk and its components. With the new elements obtained from the sources of security RM methods and security-related standards, a tendency is emerging: the cause (or event) part of the risk consists of two elements most often called threat and vulnerability.

RE security frameworks

The conceptual model introduced in the DITSCAP automation framework is an ex- tension of the CC [Com06a] model. The concepts related to risk are assets, threats, vulnerabilities and countermeasures, and only very brief denitions are given [GL07], as the reader is referred to the CC. Thus, the added conceptual value of this model with respect to the preceding sources is deemed insubstantial.

In [Fir03], Firesmith proposes a very precise denition of risk, which is split into safety risk and security risk:

Safety risk is the potential risk of harm to an asset due to accidents. Safety risk is defined as the sum (over all relevant hazards) of the products of the following two terms: (1) the largest negative impact of the harm to the asset (i.e., its criticality, severity, or damage) times (2) the likelihood that the hazard will result in an accident [. . . ] [Fir03, p. 31]

Security risk is the potential risk of harm to an asset due to attacks. Security risk is the sum (over all relevant threats) of the negative impact of the harm to the asset (i.e., its criticality) multiplied by the likelihood of the harm occurring [. . . ] [Fir03, p. 35]

In [MN03], Moet and Nuseibeh were inspired by CRAMM and propose the same gure to present risk and its components (cf. Figure 4.2) associated with the following denitions (their proposal is reinforced by Haley et al. [HMLN06a, HLMN08]):

Threat: Harm that can happen to an asset Impact: A measure of the seriousness of a threat Attack: A threatening event

Attacker: The agent causing the attack (not necessarily human)

Vulnerability: a weakness in the system that makes an attack more likely to succeed [MN03, p. 6]

4.3 ISSRM concept alignment 93

of a risk are characterised by likelihood for the cause (here, an emphasis is done on the `value' or `metric' of the cause, but this property is studied in Chapter 5) and impact or harm for the consequence. Investigation of denitions and associated information models of Firesmith shows that the likelihood of the risk depends on the likelihood of a threat (for security domain) or hazard (for safety domain) and the existence of a (safety or security) vulnerability.

Discussion about the concept of risk

We can draw some conclusions from this iteration of step 1 performed on the concept of risk. First of all, a risk is composed of a cause part, generally called event, and a consequence part, generally called impact. Second, an event is composed of a threat and a vulnerability.

Some other concepts have been identied as related to risk (e.g., asset) . Moreover, some information about other concepts have already been found in some risk deni- tions (e.g., in EBIOS [DCS04b], the denition of risk indicates some components of threat, like threat agent or attack method).

However, these conclusions come from only one iteration of step 1 on the concept of risk. It is necessary to perform other iterations of step 1 on other concepts, but also again on the concept of risk, to rene the preceding conclusions and elicit the other concepts related to risk.

In document Catálogo general (página 139-149)
Descargar ahora "Catálogo general"

Outline

Documento similar