Risk Modelling and Assessment

CIA, Threat and Risk

Back at uni this week, and the new module is Cyber Security threats. In the first week we looked at defining risks and threats, and risk modelling and assessment.

Of course, the fundamental pillars of information security are the CIA triad - Confidentiality, Integrity and Availability.

Confidentiality is the quality that a communication is private or that data can only be accessed by those with the need and right to access them.

Integrity is the quality that data is not tampered with, and can only be altered by those with the right to do so.

Availability is the quality that data or a service is available and running for those who should have access to it when they need it.

When these three qualities are present, the system is considered secure.

We can define a threat as something which can cause damage or danger, and we can calculate risk by multiplying likelihood by impact.

In other words, the risk value of a threat is the probability of that threat occurring multiplied by the cost of that threat. The cost can be measured in any way - financial, reputational etc.

Risk Modelling and Assessment

Rather than analysing every possible threat, it's better to understand the threats that are important to the individual organisation. For this, we use two standards:

- BS7799-3 (2017) "Information security management systems. Guidelines for information security risk management"

- ISO 27001 (2017) "Information technology - Security Techniques - Information management systems - Requirements"

The figure below is from the former document and maps the whole process and the relevant sections/documents:

Establishing context

We establish the organisation's context using sections 4, 5.2, 5.3 and 6.2 of ISO 27001. These basically require you to identify:

- interested parties to the security management system and their needs

- the internal and external functions and processes of the business, such as keeping stock, invoicing, payroll etc

- roles within the IT security system and their responsibilities

- objectives of the security system

Identifying boundaries

Using clause 6 of BS 7799-3 we must establish where the boundary of responsibility is drawn for the company or risk owners, eg they may be responsible for the confidentiality of customer data within their network, but not on the network of an external entity with which they communicate.

Identifying Consequences

For each in scope process identified above, we must identify the consequences of a potential breach, while leaving the details of the breach itself vague.

We can identify a process such as 'invoice customers.' A generic 'breach' in this area could lead to a consequence such as delay in payment. We can assign a weight to such a consequence using a system such as the OWASP Risk Rating Methodology.

The consequences will vary depending on the type of organisation - for example an online shop who has no physical outlets would place a much higher value on availability than a brick and mortar vendor with no online presence to speak of.

Conclusion

This is just the first step in risk modelling and assessment - but with a clearer and objective understanding of the context of the organisation, effective security systems can be designed and collaborated upon efficiently, without the need for arguing over priorities.