There is only one way to completely avoid IT risk in your workplace, and that is to never connect your computers to the unknown network, which is simply not an option in today’s world – not for individuals, and especially not for organizations. Instead, organizations must perform risk assessments to manage the inherent and unavoidable threats of being in business – and therefore connected to the Internet – today.
Risk assessment is the process by which an organization comes to understand its risks, its weak points in the system, which vulnerabilities have the most impact, and how to mitigate the risks as much as possible. By doing so, an organization must become familiar with all its systems, processes, and personnel, as well as the current state of threats and vulnerabilities. Risk assessment must take into account physical and environmental factors, and departments with functions that vary from administration to sales to technical support.
However, given the changing state of information management, doing an accurate assessment of risk is a major challenge. This is especially true in the volatile area of security, where new threats emerge every day, and in an increasingly sensitive regulatory environment, with escalating concerns dedicated to digital records and privacy.
What is a Risk Assessment Framework?
In order to deal with the increasing complexity of IT risk assessment, frameworks have emerged as a solution; ensuring organizations have a way of dealing with all aspects of risk and mitigation. Frameworks guide organizations to address each of the following aspects of risk management:
- Inspection and validation;
- Workflow and process;
- Employee readiness;
- Assignment of responsibility;
- Scheduled maintenance, including retraining and reassessment.
There are some commercial tools on the market for risk assessment, but they tend to be focused either on quantitative – numerical – analysis, while the softer and more intuitive qualitative analysis approach doesn’t translate as well to a software environment. The best results are obtained by combining the methods and benefiting both from metrics and intuition. The following are some examples of Risk Assessment Frameworks.
Risk Assessment Frameworks
Operationally Critical Threat, Asset and Vulnerability Evaluation
OCTAVE was developed at the CERT Coordination Center at Carnegie Mellon University. OCTAVE is a suite of tools, techniques, and methods for assessing risk and planning mitigation strategies.
OCTAVE, in setting up its risk assessment framework, defines assets as including people, hardware, software, information, and systems. There are three models of OCTAVE:
- The original, on which the OCTAVE body of knowledge was built, is ideal for organizations with hundreds of employees.
- OCTAVE-S is similar to the original but is directed at organizations that have fewer security and risk-management resources.
- OCTAVE-Allegro, this is the most streamlined approach that still addresses IT risk assessment and mitigation.
The OCTAVE criteria were developed as a standard approach to risk management, and established fundamental principles and attributes that still drive our overall approach to risk assessment.
OCTAVE principles include the following:
- Self-directed. Small teams from various business units and IT collaborate to address the security needs of the organization.
- Each standard or approach can be customized to an organization’s security needs and skill level.
- Promotes an operational view of security that addresses technology in a business context.
- Robust and well-documented.
- Freely available.
- Templatable to be the organization’s risk-assessment model, even to the point of acting as a process template for other risk methodologies.
- Holistic: takes into account physical infrastructure, technical competence, and personnel.
Factor Analysis of Information Risk
FAIR is a framework designed specifically to address security practice weaknesses. The framework includes a standard taxonomy for IT risk, common nomenclature for risk terms, criteria for data collection, metrics for risk factors, a risk calculator engine, and modelling for advanced scenarios.
FAIR principles include the following:
- The framework sets a common vocabulary pertaining to risk.
- The framework demonstrates how to apply risk assessment to any object or asset.
- The framework views organizational risk holistically.
- The framework determines risk using advanced analysis.
- The framework enables stakeholders to understand how time and money will affect the organization’s security profile.
- Common language.
- It doesn’t use ordinal scales, such as one-to-ten rankings, and therefore isn’t subject to the limitations that go with ordinal scales, which are not appropriate to risk evaluation.
- Uses dollar estimates for losses and probability values for threats and vulnerabilities, enabling true mathematical modeling of risk.
- Definitions of threats, vulnerabilities, and risks are well-defined in FAIR.
- Not as well-documented as OCTAVE.
- Not easy to get started.
National Institute of Standards and Technology’s Risk Management Framework specifies serial activities that are tuned to managing IT risk. The NIST says the activities are pertinent to both new and legacy information systems.
The activities include:
- Categorizing for risk based on impact, not only of the failure of specified information systems, but also the importance of the information within those systems.
- Selecting security requirements and controls for the systems. For federal agencies, this is specifically to be based on the Federal Information Processing Standards (FIPS) 199 security categorization and the requirements in FIPS 200.
- Implementing security controls.
- Assessing the security controls for correct implementation and desired outcomes.
- Authorizing systems operation based on an assessment of risk to the organization and its assets, or to individuals as a result of the operation of the systems, and a determination that the risk is within acceptable standards.
- Continued monitoring, including tracking changes to the systems and tracking the impact of those changes.
- Reporting the risk status of the systems to appropriate people on an appropriate schedule.
- The framework is not only for risk assessment, but also for risk management.
- It was developed by NIST, which is charged by the U.S. Congress with providing security standards high enough to protect government systems.
- The standards and tools are both cost-effective and highly adaptable.
- The framework is always being reviewed and updated according to new technologies as well as to comply with new legislation.
- Easily helps to identify systems and/or applications that present the highest risk if breached.
- Because it’s a standard, it’s really a document, not a tool, so it is a series of recommendations and processes rather than automation.
- Its nomenclature, which makes heavy use of acronyms in the framework and supporting tools, can be difficult for users to understand.
The Threat Agent Risk Assessment
TARA is a newer risk-assessment framework that was created by Intel. It approaches risk management by keeping the huge number of potential information security attacks allow only those risks that are likely to occur, based on the understanding that it is too costly to defend against every conceivable threat. By predicting the likelihood of certain risks, organizations can better deploy resources to manage more relevant threats and close the most damaging vulnerabilities.
TARA uses three main references in reaching predictive conclusions:
- Intel’s threat agent library
- Intel’s common exposure library
- Intel’s methods and objectives library
- Provides a threat agent view of risk, which can be easily used among other risk-assessment methods.
- Good for identifying, predicting, and prioritizing threats against infrastructure.
- Focuses on threats rather than assets, so it’s possible to miss asset-based attacks.
- Views risk from the perspective of worst possible outcome, which is a narrow view.
- Assesses likelihood of threats, but not impact of the risk.
- Is new and untested.
Risk Assessment Methodologies
There are three recognized methodologies for risk assessment:
- Asset Audit
- Pipeline Model
- Attack Tree
The asset audit approach in risk assessment looks at the organization’s assets and determines whether each asset has adequate and appropriate protection. The asset audit process typically includes the following steps:
- Information asset identification – Identifies all the data stored in the system, processed by the system, transmitted by the system, or in some other way is consumed by the system. This data can include company policy manuals, program source code, and customer information, for example.
- Data flow – Identifies how each information asset arrives, is stored by, and leaves the system.
- Threat analysis – Identifies the vulnerabilities of the data as it enters, is stored by, and leaves the system.
- Likelihood of threat – Places a probability value on how likely it is that a threat will happen.
- Impact Analysis – Assesses the impact of a data breach, corruption, or destruction, or the cost of data or a service being unavailable for a given period of time.
- Mitigation – Select the safeguards and controls that need to be in place to adequately and appropriately protect the organization’s IT assets. Mitigation can employ technical tools, like personal firewalls on remote users’ computers, or non-technical, like acceptable use policies or security awareness training.
An asset audit is a straightforward method for assessing risks by looking at the value and the vulnerability of an asset. Participants in the process also gain a better understanding of their information flow, vulnerabilities and the value of their Information assets.
In the Pipeline approach, risks are assessed on a pipeline, which is the system component that is responsible for processing a certain type of transaction. Consequently, this model is useful for assessing the security of transactional systems.
Each pipeline is made up of five components:
- Active processes, which are the software that make the transactions happen;
- Communication processes, which send and receive data in the form of messages over the networks;
- Stable data processes, which put stable information into the pipeline;
- Inquiry processes, which request information from the pipeline;
- Access control processes, which control human access to the pipeline.
The security policy of the organization determines the security requirements for each pipeline. The pipelines are each reviewed according to above five components to identify security requirements and gaps.
Attack trees, which are a variant of fault trees, provide a methodical way to describe the security of systems based on attack information, like who, when, how, why, and with what probability an attack will occur. The tree is a visualization of the system and its vulnerabilities, so that the top of the attack tree – or its root node – represents the final goal of the attacker, the specific data or data store they are looking for. While the branches and leaf nodes show different ways of approaching the system or attaining the goal.
To build an attack tree, which is a model of the system to be protected, follow these steps:
- Identify any threats that could attack the system. This list includes unhappy employees, malware, infiltrators, competitors, and so on.
- Consider what each threat might accomplish. Each of these possible goals will become the top of an attack tree, so you have an attack tree for each threat.
- Identify all ways an attacker could achieve the goal. These attack methods then become a second layer of goals, sitting directly under the top of the tree.
- For each of these goals in the second layer, assess whether there is another layer of ways to attain the second-layer goal. Repeat this assessment until each of the leaves on the attack tree represents a single, specific defined method of attack.
Now that you have created a visual representation of your system and its vulnerabilities, you can evaluate each path to determine the likelihood of each attack method, and using institutional knowledge, assess the business impact to mitigate each attack.
Benefits of Risk Assessment
- Doing a risk assessment requires the participants (stakeholders, business owners, etc.) to specifically identify its information assets and their value to the organization, whether marketing value or the value of its integrity, in the case of protecting personal information.
- Stakeholders will have an understanding of their organization’s risk exposure and whether existing safeguards are adequate.
- Participants within the organization become more aware of risks and learn to think defensively, and avoid practices that might open the organization to further risk.
- Doing an assessment enables creation of a risk awareness training program that is effective and meaningful to employees, including managers.
- The organization can set risk tolerance standards, based on better knowledge of their assets, best security practices, and legal & regulatory requirements for their industry.
Disadvantages of Risk Assessment
- Stakeholders often do not have the time, or feel they do not have the time, to do risk assessment.
- Ultimately, even organizations that are ready to dedicate the time often do not know how or where to start.
- Existing, published guidelines are too general and high-level for practical use.
- Like all systems, ensuring reasonable and meaningful data is entered in is necessary to ensuring that meaningful information comes out of it.
To do it right, risk assessment requires a lot of effort, especially if stakeholders are committed to assessing the entire organization, including all its critical business and information systems. Commercial risk assessment tools exist, such as XiSec RA tool, Vectra Corporation’s Virtual Security Auditor, and COBRA’s Risk Consultant, but these tools are based mainly on qualitative risk assessment rather than quantitative assessment or – better yet – a combination of the two methods. But typically, the more subtlety a tool can be, the more complicated it is to use.
Frameworks allow users to determine their own software, while using proven methodologies for assessing and managing risk in their organization. And despite the drawbacks of the various tools and methodologies, assessing risk is a critical component of an organization’s security management plan.
Risk assessment should be a standard internal process included in system development lifecycles as well as system and process QA. Organizations must ensure that appropriate and adequate security is in place and that the organization knows the nature and value of its assets; and risk assessment is a way to satisfy both of these business-critical needs.