FREE ELECTRONIC LIBRARY - Dissertations, online materials

Pages:   || 2 | 3 | 4 | 5 |   ...   | 17 |

«MASTER THESIS Current Established Risk Assessment Methodologies and Tools Dan Ionita Faculty of Electrical Engineering, Mathematics and Computer ...»

-- [ Page 1 ] --


Current Established Risk

Assessment Methodologies

and Tools

Dan Ionita

Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS)

Department of Computer Science - Information Systems group


Roel Wieringa

Wolter Pieters

Pieter Hartel

31st of July 2013


The technology behind information systems evolves at an exponential rate, while at the same time becoming more and more ubiquitous. This brings with it an implicit rise in the average complexity of systems as well as the number of external interactions. In order to allow a proper assessment of the security of such (sub)systems, a whole arsenal of methodologies, methods and tools have been developed in recent years. However, most security auditors commonly use a very small subset of this collection, that best suits their needs. This thesis aims at uncovering the differences and limitations of the most common Risk Assessment frameworks, the conceptual models that support them, as well as the tools that implement them. This is done in order to gain a better understanding of the applicability of each method and/or tool and suggest guidelines to picking the most suitable one.

0000000 Current Established Risk Assessment Methodologies and Tools Page 3 0000000 Current Established Risk Assessment Methodologies and Tools Page 4 PREFACE This thesis marks the successful completion of my Master in Computer Science - Information Systems Engineering at the University of Twente, Netherlands (2011-2013). It has been a truly life-changing experience, in which I have had much to learn and understand.

The topic for the thesis was chosen due to the authors’ interest in the European TREsPASS project (www.tresspass-project.eu). The project aims to design a new socio-technical Risk Assessment methodology, and as such, a comprehensive survey of the current state-of-the-art is essential. It is this goal that this thesis hopes to help achieve.

0000000 Current Established Risk Assessment Methodologies and Tools Page 5 0000000 Current Established Risk Assessment Methodologies and Tools Page 6


The author would like to thank Prof. Dr. Roel Wieringa for his unbounded support for the creations of this thesis and for providing me with opportunities far beyond my expectations. Furthermore, I would also like to extend my gratitude to my secondary supervisors, Pieter Hartel and Wolter Pieters, for useful comments and remarks. I would like to extend a special mention to Suse Engbers who makes everything that happens in the IS department at the UT possible thanks to her dedication and skills.

However, I am and always will be most grateful to my family for the unadulterated physical, financial and emotional support which helped me get where I am now. Without you, I would be nothing! A special thanks goes to my best friend: my brother. Last but not least, I am especially grateful to my lovely girlfriend, Vincy, who stood by me whenever I felt lost and did her best to make me happy! I will be forever grateful.

I would like to make one final acknowledgment: to all the wonderful people I met while completing my Masters degree. There are to many names to mention, but you know who you are: Thank you for all the good times we’ve had together!

0000000 Current Established Risk Assessment Methodologies and Tools Page 7 0000000 Current Established Risk Assessment Methodologies and Tools Page 8 CONTENTS

–  –  –

4.1 Decomposition of Risk according to the FAIR framework[35] and The Open Group taxonomy[23]................................................... 59

4.2 Relationships between the entities involved in RM/RA according to ISO/IEC 13335-1... 60

4.3 Decomposition of Risk level (Exposure) according to the OWASP [19] methodology... 63

4.4 Decomposition of Risk level (Exposure) according to the SRA[38] methodology...... 65

4.5 The basic entities commonly found in Information Security Conceptual Models...... 66

–  –  –

7.1 Decision table for selecting the most suitable RA method(s)................. 107 A.1 RA/RM methods and their complete set of characteristics.................. 119 B.1 Intermediary table used for construction of Decision Table.................. 122 0000000 Current Established Risk Assessment Methodologies and Tools Page 13 0000000 Current Established Risk Assessment Methodologies and Tools Page 14 CHAPTER 1


1.1 Background In December 2012, based on EU funding, the TREsPASS project was officially launched. Consisting of 17 partners from both industry and research, the project aims to improve the way we secure information by integrating the digital, technical and social domains with the current state-of-the-art in the field of security. This is because of the impact that human behavior (be it an attacker, employee or bystander) has on the (in)security of an infrastructure. Furthermore, strict technical mechanisms can still be bypassed by using social engineering. As such, a better understanding of how these domains intertwine in the field of information security is crucial in identifying potential weak points within an organization or infrastructure.

This is where Risk Assessments come in. A Risk Assessment (RA) is a structured or semi-structured approach of analyzing the security of an infrastructure, identifying weak spots, and selecting countermeasures. Such assessments are done according to various methodologies. Currently, the sheer number of different such methodologies might be overwhelming for someone trying to get an overview of Risk Assessment methods and tools. Furthermore, each such method follows a slightly different procedure, uses different data, requires certain skills, provides different output, or is based on a different understanding of Risk all-together.

One of the first deliverables within the TREsPASS project includes a survey of the state-of-the-art in Risk Assessments. This includes both methods and tools. This master thesis is, amongst others, meant to provide input for this document. It can also serve as an introduction to Risk Assessment and Risk Management, or a glossary of relevant methods and tools.

1.2 Goals The overall goal is obtain a better understanding of the key differences and commonalities between the various state-of-the-art Information Risk Assessment methodologies and tools. Interesting aspects are the scope, target users of the methods or tools and intended audience of the results.

We are also interested in the conceptualization and decomposition of Risk according to various methodologies and how this relates to their other characteristics.

1.2.1 Research Questions

These goals can be distilled into the following research questions:

RQ1 What are the most commonly used Risk Assessment methods?

SRQ1.1 What are their goals?

SRQ1.2 What steps do they contain?

SRQ1.3 What decisions do they support?

SRQ1.4 What is the scope of each method?

RQ2 What are the underlying conceptual models used in Risk Assessment frameworks?

SRQ2.1 How does each model conceptualize Risk?

0000000 Current Established Risk Assessment Methodologies and Tools Page 15 SRQ2.2 What are the sub-components of Risk and how are they combined?

SRQ2.3 What are the target organizations of each model?

SRQ2.4 What significant differences can be found between these models?

RQ3 What are the most commonly used Risk Assessment tools?

SRQ3.1 What functionality does each offer?

RQ4 What are the relationships between each tool, method and model?

1.3 Approach The core of the thesis consists of surveys of established methodologies, related tools and underlying conceptual models. Each relevant methodology, tool and conceptual model will be described and analyzed in order to create an overview of the current state-of-the-art. The analysis of individual methods/tools is followed by a comparison of key features as well as identification of commonalities and differences. Several discussion regarding the cross-compatibility between methodologies, tools and conceptual models are also included, with conclusions being drawn with regard to the observations.

Finally, a guideline to choosing the most suitable method given the organization’s business context and security requirements is designed. The findings are validated via expert judgment.

1.4 Structure of the report The report is structured in 8 Chapters. This first chapter contains an introduction to the chosen topic.

Chapter 2.3 contains an introduction to the field of Information Security Risk Management, of which Risk Assessments are a part of, as well as criteria for the sub-selection discussed in this thesis.

Chapter 3 presents an overview of common Risk Assessment methods. Chapter 4 describes the various ways of conceptualizing risk that each framework implies. Chapter 5 indexes the software tools available and maps them to their relevant frameworks. Chapter 6 attempts to extract the key features from each of the previously identified methodologies and tools, while drawing conclusions regarding the most significant differences. Chapter 7 suggests a guideline to selecting the most suitable method. Chapter 8 draws some conclusions based on the previous analysis.

–  –  –



2.1 The Risk Management process According to the European Network and Information Security Agency (ENISA), Risk Management (RM) is "a process aiming at an efficient balance between realizing opportunities for gains while minimizing vulnerabilities and losses” [43]. Furthermore, it is an integral part of the management practice and crucial for achieving good corporate governance. Risk Management is usually a continuously re-iterating process, that typically consists of several activities. Such activities typically include identifying, analyzing and prioritizing risks and finding, evaluating and applying relevant countermeasures as well as monitoring the results. This process is either continuous or cyclical and focuses on achieving a coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events [26].

2.2 Information Security Risk Management Risk Management and Risk Assessment are techniques that can be used to identify, monitor and control the risk level of an Information System (IS). Information Security Risk Management, in particular, can either be part of the overall organizational Risk Management process, or can be implemented separately [40]. Information Security Risk Management activities usually include implementing appropriate policies and related controls, promoting awareness, as well as monitoring and evaluating policy and control effectiveness [21]. The process is a usually cyclical. An overview of a typical Information Security Risk Management process is depicted in Figure 2.1. The dashed arrow means that the Monitor process does not stop when the Control process is started. Rather, the Monitor process is continuous and running in parallel with all other processes.

2.3 Risk Assessment A critical step in the Information Security Risk Management process is the Risk Assessment. This involves the evaluation each IT risk as well as the total IT risk and giving them priorities.

While Risk Assessment is an activity that also takes place as part of the Risk Management process, it is not continuous. It is, however, a discrete activity, only being initiated when required or at regular intervals. Risk Assessments usually serve to identify and analyze possible vulnerabilities of and threats to a given system, as well as the relative value of assets and possible damage resulting from their compromise. This is done in order to estimate the risks that the owner, operator or user of the system may face.

As such, its output is base for all the other Risk Management activities by eliciting new security requirements, aiding in the choice and specification of countermeasures, evaluating current Security Policies, supporting relevant management decisions, assessing existing protection mechanisms, controls, etc.

The main result of a Risk Assessment is usually a qualitative or quantitative evaluation of the possible risks that a given complex system is exposed to, taking into consideration its context and likely threats.

It should be noted that most Risk Assessments, as well as most Risk Management processes, do not aim at obtaining a fully secure system as this is often impossible. Instead, the end-goal is to reach 0000000 Current Established Risk Assessment Methodologies and Tools Page 17 Figure 2.1: Overview of a typical Risk Management process what is perceived as an acceptable level of security at an acceptable cost (also called "good enough" security). Frameworks differ in their interpretation of this, and in the way of achieving and maintaining it.

In the most general sense, a Risk Assessment is a multidisciplinary task that might contain one or

more of the following steps (Figure 2.1 maps the steps to the RM phases):

1. Establishment of context: Identifying and defining the digital, technical social and business context in which the system operates as well as building some kind of model of the information system itself. Although the context of the IS is always relevant, this step is sometimes skipped if a satisfying specification of the IS already exists. This is usually part of the "preparation" stage in Figure 2.1.

Other activities relevant for this phase are defining the scope of the assessment, security requirements, stakeholder goals, risk criteria etc.

2. Risk Identification: this is the core of any risk assessment and has to do with using available data to identify possible attack vectors and vulnerabilities of the system. This step corresponds to the "identify" stage in Figure 2.1.

Pages:   || 2 | 3 | 4 | 5 |   ...   | 17 |

Similar works:

«D. Tuggy scarecrow: Abrelatas y scarecrow Compuestos exocéntricos verbo + objeto en español e inglés en ilustración de principios básicos de la Gramática Cognoscitiva El español y el inglés tienen construcciones paralelas en las cuales se combina un verbo con su objeto, y la palabra compuesta resultante designa el sujeto o el instrumento que ejecuta el verbo en relación con el objeto (V + O = S/Instr). Un ejemplo del español sería la palabra abrelatas, y una del inglés sería...»

«Tuggeranong and Erindale Centres Planning Project Environment and Heritage Project Name: Draft Background Report Project Number: 3002243 Report for: ACTPLA PREPARATION, REVIEW AND AUTHORISATION Revision # Date Prepared by Reviewed by Approved for Issue by 1 10/12/10 K. Wilson P. Cowper P. Cowper 2 17/1/11 K. Wilson P. Cowper P. Cowper ISSUE REGISTER Distribution List Date Issued Number of Copies ACTPLA: 17/1/11 1 (electronic) SMEC staff: Associates: Canberra Office Library (SMEC office...»

«VOL. 9, NUM.1 WINTER/INVIERNO 2012 Shadowing the Gothic: Rosalía de Castro’s La hija del mar and Benito Pérez Galdós’s La sombra Leigh Mercer In this article, I approach Rosalía de Castro’s La hija del mar (1859) and Benito Pérez Galdós’s La sombra (1870) as novels that make use of the Gothic as a way to express concerns about gender and society in the Spanish nineteenth century. Rosalía de Castro developed a proto-feminist Gothic that denounced family violence and the sexual...»

«DAILY WEAR DAILY DISPOSABLE PATIENT INSTRUCTION GUIDE 0086 1 This patient instruction guide refers to the following ACUVUE® Brand Contact Lenses which are individually listed in Table 1 below and are referenced as such unless stated otherwise. Table 1 Intended use and wear schedule Disposable Daily Wear Packaging Inside-out indicator Solution Lens type and – Daily Brand name Daily Disposable ACUVUE® Brand Spherical Contact Lenses – Visibility Tinted with UV-Blocker 1-DAY ACUVUE® 1 Brand...»

«31 2002 TABOO London run: The Venue. January 29th (87 performances) Music: Kevan Frost, Richie Stevens & John Themis Book & Lyrics: Mark Davies & Boy George Director: Christopher Renshaw Choreographer: Les Child Musical Director: James McKeon Cast: Euan Morton (Boy George), Matt Lucas (Leigh Bowery), Luke Evans (Billy), Dianne Pilkington (Kim), Mark McGee (Marilyn), Drew Jaymson (Steve Strange), Paul Baker (Philip Sallon), Gemma Craven (Josie), Mark White (Derek/Petal), Gail Mackinnon (Big...»

«Curriculum Vita Dr. Khaled Tawaha Postal Address: Faculty of Pharmacy University of Jordan Amman, 11942 Jordan Telephone: (+ 962 6) 5355000(Ext 23310) Mobile: 0799592258 E-mail: Tawaha2003@yahoo.com Personal Information Nationality: Jordanian. Marital Status: Married and has 4 children. Gender: Male Date of Birth: 01.02.1965, in Houfa / Irbid / Jordan. Education 1998: Attended and successfully completed within three months at Montclair State University, New Jersey, USA an English language...»

«Going to Tehran: Prospects for U.S.-Iranian Engagement http://www.carnegiecouncil.org/studio/multimedia/20130117/in. Going to Tehran: Prospects for U.S.-Iranian Engagement U.S. Global Engagement Flynt Leverett, Hillary Mann Leverett Transcript Introduction Remarks Questions Introduction DAVID SPEEDIE: Good evening and welcome to the Carnegie Council. I'm David Speedie, director of the Program on U.S. Global Engagement here at the Council. It's good to see a full house for a truly important...»

«Little or No, page 1 15 Little or No Experience Outside of Attention? Russell T. Hurlburt and Eric Schwitzgebel Some of the things [Hurlburt] says suggest he thinks that it is fairly common for DES subjects to believe correctly they just saw and were looking at something, even while lacking visual experience entirely. More astonishingly still, he suggests that they (and we) are ordinarily actually like this for much of our day. For if I usually don’t have visual experience while reading and...»

«Nutritional Prevention Of Colorectal Cancer: Attitudes And Practices Of Primary Care Providers Item type text; Electronic Dissertation Authors Dykstra, Aaron James Publisher The University of Arizona. Rights Copyright © is held by the author. Digital access to this material is made possible by the University Libraries, University of Arizona. Further transmission, reproduction or presentation (such as public display or performance) of protected items is prohibited except with permission of the...»

«Copyright by Michael Wayne Lin 2008 The Dissertation Committee for Michael Wayne Lin certifies that this is the approved version of the following dissertation: Simulation and Design of Planarizing Materials and Interfacial Adhesion Studies for Step and Flash Imprint Lithography Committee: C. Grant Willson, Supervisor Roger T. Bonnecaze, Co-supervisor Kenneth M. Liechti John G. Ekerdt Thomas F. Edgar Simulation and Design of Planarizing Materials and Interfacial Adhesion Studies for Step and...»

«Alma Mater Studiorum – Università di Bologna DOTTORATO DI RICERCA IN SCIENZE DELLA TERRA Ciclo XXV Settore Concorsuale di afferenza: 04/A2 Settore Scientifico disciplinare: Geo/01 Paleontological studies of Cretaceous vertebrate fossil beds in the Tataouine Basin (southern Tunisia) Presentata da: Dott.ssa Contessi Michela Coordinatore Dottorato Relatore Prof. Roberto Barbieri Prof.ssa M.Cristina Perri Correlatori: Dott. Marco Avanzini Dott. Federico Fanti Esame finale anno 2013 CONTENTS  ...»


<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.