Question 2: What does risk assessment mean?
When it comes to risk assessment, the first thing that may come to mind is: risk, asset, impact, threat, vulnerability, and a host of other terms that don't seem too difficult to understand, but once considered together can be combined like a tongue twister. Risk, for example, using the definition in ISO/IEC TR 13335-1:1996, can be interpreted as the potential for a specific threat to exploit a weakness in an asset(s), resulting in the loss or destruction of the asset(s).
Risk assessment is the evaluation of the threat, the vulnerability, the impact, and the likelihood of the risk posed by the combination of the three to an information asset. As the basis of risk management, risk assessment (Risk Assessment) is an important way for organizations to determine the information security needs, belonging to the organization's information security management system planning process.
The main tasks of risk assessment include:
Identifying the various risks faced by the organization
Evaluating the probability of risks and possible negative impacts
Determining the organization's ability to withstand the risks
Determining the priority level of risk reduction and control
Recommending countermeasures for risk reduction
During the risk assessment process, there are several key issues to consider. There are several key issues to consider. First, determine what is the object (or asset) being protected? What is its direct and indirect value? Second, what are the potential threats to the asset? What is the problem that is causing the threat? What is the likelihood of the threat occurring? Third, where are the weaknesses in the asset that could be exploited by the threat? How easy is it to exploit? Fourth, what kind of damage or negative impact will the organization suffer if a threat event occurs? Finally, what security measures should the organization take to minimize the damage caused by the risk?
The process of addressing the above questions is the process of risk assessment.
When conducting a risk assessment, there are several correspondences that must be considered:
Each asset may be exposed to multiple threats
There may be more than one source of threats (threat agents)
Each threat may exploit one or more vulnerabilities
Three possible paths to a risk assessment
During the pre-preparation phase of risk management, the organization has defined its security strategy based on security objectives, which includes consideration of risk assessment strategies. The so-called risk assessment strategy is actually the way to carry out the risk assessment, that is, to specify the operational process and the way the risk assessment should continue.
The operational scope of a risk assessment can be the entire organization, a department within the organization, or an information system, specific system components, and services. Certain factors affecting the progress of the risk assessment, including the timing, intensity, rollout, and depth of the assessment, should be tailored to the organization's environment and security requirements. Organizations should choose the appropriate risk assessment path for different situations. Currently, the risk assessment paths often used in practice include baseline assessment, detailed assessment and combined assessment.
Baseline Assessment
If the organization's business operations are not very complex, and the organization's reliance on information processing and networking is not very high, or if the organization's information systems tend to use a common and standardized model, Baseline Risk Assessment (BRA) is a straightforward and simple way to achieve a basic level of security and to meet all the requirements of the organization and its business environment. all the requirements of the organization and its business environment.
With Baseline Risk Assessment, an organization conducts a security baseline check (comparing existing security measures with those specified in the security baseline to find out the gaps) of its information system based on its actual situation (industry, business environment and nature, etc.), and then comes up with the basic security needs to mitigate and control the risks by selecting and implementing standard security measures. A security baseline is a set of security controls or practices specified in a number of standards and specifications that are applicable to all systems in a given environment and that satisfy the basic security needs and enable a system to achieve a certain level of security protection. Organizations can select a security baseline based on the following resources:
-; international and national standards, such as BS 7799-1, ISO 13335-4;
-; industry standards or recommendations, such as the German Federal Security Agency's IT Baseline Protection Handbook;
-; and practices from other organizations with similar business goals and sizes.
Organizations can, of course, establish their own baselines if the environment and business goals are more typical.
The advantages of a baseline assessment are that it requires fewer resources, is shorter in duration, and is simpler to perform, making it clearly the most cost-effective way to assess risk for many organizations with similar environments and comparable security needs. Of course, baseline assessment also has its unavoidable disadvantages, such as the difficulty of setting the level of baseline, if too high, it may lead to waste of resources and over-restriction, if too low, it may be difficult to achieve adequate security, in addition, in the management of security-related changes, baseline assessment is more difficult.
The goal of a baseline assessment is to establish a minimal set of countermeasures that meets the basic goals of information security, and it can be applied organization-wide, and should be built upon with more detailed assessments of specific systems if there is a particular need.
Detailed Assessment
Detailed risk assessment requires a detailed identification and evaluation of assets, an assessment of the level of threats and vulnerabilities that could give rise to risk, and the identification and selection of security measures based on the results of the risk assessment. This assessment path focuses on the idea of risk management, which is to identify the risks of an asset and reduce them to an acceptable level as a means of demonstrating the appropriateness of the security controls used by the manager.
The advantages of a detailed assessment are:
-; An organization can use a detailed risk assessment to gain a precise understanding of information security risks and to accurately define the organization's current level of security and security needs;
-; The results of a detailed assessment can be used to manage security changes. Of course, a detailed risk assessment can be a very resource-intensive process in terms of time, effort, and technology, so the organization should carefully set the scope of the information systems to be assessed, defining the boundaries of the business environment, operations, and information assets.
Combined assessments
Baseline risk assessments are less resource-intensive, shorter in duration, and simpler to perform, but less accurate and suitable for general environments, while detailed risk assessments are accurate and detailed, but more resource-intensive and suitable for smaller scopes with strictly defined boundaries. Based on the practice, the organization mostly adopts the combination of the two assessment methods.
In order to decide which risk assessment approach to choose, the organization first conducts a preliminary high-level risk assessment of all systems, focusing on the business value of the information system and the possible risks it may be exposed to, and identifies the organization's high-risk or business-critical information assets (or systems) that should be included in the scope of the detailed risk assessment, while other systems can be directly selected through the baseline risk assessment. Security measures can be selected directly from the baseline risk assessment.
This assessment path combines the strengths of both baseline and detailed risk assessments, saving resources spent on the assessment and ensuring a comprehensive and systematic result, and furthermore, the organization's resources and funds can be applied where they will do the most good, and information systems with high risk can be pre-occupied. Of course, there are drawbacks to portfolio assessment: if the initial high-level risk assessment is not sufficiently accurate, certain systems that would otherwise need to be assessed in detail may be overlooked, ultimately leading to inaccurate results.
Common Methods of Risk Assessment
There are a variety of operational methods that can be used in the risk assessment process, including Knowledge-based analysis, Model-based analysis, Qualitative analysis and Quantitative analysis. Regardless of the approach, the goal is to identify the risks and impacts on the organization's information assets, as well as the gaps between the current level of security and the organization's security needs.
Knowledge-based analytics
In a baseline risk assessment, an organization can use knowledge-based analytics to identify gaps between the current state of security and baseline security standards.
Knowledge-based analysis, also known as empirical methods, involves the reuse of "best practices" from similar organizations (including size, business goals, markets, etc.) and is appropriate for general information security communities. With knowledge-based analysis, an organization does not need to expend a lot of effort, time, and resources, but simply collects relevant information through a variety of means, identifies the organization's risk areas and current security measures, compares them to specific standards or best practices, identifies inconsistencies, and selects security measures in accordance with the standards' or best practice's recommendations, ultimately achieving the goal of mitigating and controlling the risk.
The most important aspect of the knowledge-based analysis approach is the collection of information for the assessment, which includes:
-; meeting discussions;
-; reviewing current information security policies and related documentation;
-; creating questionnaires and conducting surveys;
-; conducting interviews with relevant personnel;
-; conducting field trips. field trips.
In order to simplify the assessment process, organizations can adopt supporting automated tools that can help them develop questionnaires that meet the requirements of a particular criterion, and then synthesize and analyze the results of the answers to give a final recommendation report after comparing it with the particular criterion. There are a number of such tools available on the market, and Cobra is a typical example.
Model-Based Analysis Methodology
In January 2001, a number of commercial companies and research institutes*** from Greece, Germany, the United Kingdom, and Norway co-organized the development of a project called CORAS, Platform for Risk Analysis of Security Critical Systems. The aim of the project is to develop a risk assessment framework based on object-oriented modeling and in particular on UML techniques, which assesses systems with high security requirements in general and the security of IT systems in particular.CORAS takes into account the technology, the people, and all the aspects related to the security of the organization.Through CORAS risk assessment, organizations can define, acquire, and maintain confidentiality of IT systems, integrity, availability, resistance to repudiation, traceability, authenticity and reliability of IT systems.
Like traditional qualitative and quantitative analyses, CORAS risk assessment follows the process of identifying, analyzing, evaluating, and treating risks, but the methodology for measuring risk is completely different, and all analysis is based on an object-oriented model. quality; the graphical modeling mechanism facilitates communication and reduces comprehension bias; it enhances the efficiency of interoperability of different assessment methods; and so on.
Quantitative Analysis
When performing detailed risk analysis, in addition to the possibility of using knowledge-based assessment methods, the most traditional methods are quantitative and qualitative analysis.
The idea behind the quantitative approach is clear: by assigning numerical or monetary values to the various elements that make up the risk and to the level of potential loss, the entire process and results of risk assessment can be quantified when all the elements that measure the risk (value of the asset, frequency of threats, degree of exploitation of weaknesses, efficiency and cost of security measures, etc.) are assigned values.
Simply put, quantitative analysis is a methodology that attempts to analyze and assess security risks numerically.
There are several important concepts in quantitative risk analysis:
-; Exposure Factor (EF) — — The percentage of damage, or degree of loss, caused by a particular threat to a particular asset.
-; Single Loss Expectancy (SLE) — — or SOC (Single OccuranceCosts), the total amount of potential loss that could be caused by a specific threat.
-; Annualized Rate of Occurrence (ARO) — — i.e., the frequency with which a threat is estimated to occur in a year.
-; Annualized Loss Expectancy (ALE) — — or EAC (EstimatedAnnual Cost), which indicates the expected value of a loss suffered by a particular asset within a year.
Examining the process of quantitative analysis, the relationship between these concepts can be seen:
(1) First, identify the asset and assign a value to the asset;
(2) Evaluate the impact of a specific threat on a specific asset through threat and vulnerability assessment, i.e., the EF (which takes the value from 0% to 100%);
(3) Calculate how often a specific threat occurs, i.e., the ARO; or the EAC. frequency of occurrence of a particular threat, i.e., ARO;
(4) Calculate the SLE of an asset:
SLE = Asset Value ×; EF
(5) Calculate the ALE of an asset:
ALE = SLE ×; ARO
Here's an example: suppose a company invests $500,000 in building a Network Operations Center (NOC), whose greatest threat is fire, and in the event of a fire, the estimated loss level of the NOC is 45%. Based on the fire department's assumption that a fire will occur in the area where the Network Operations Center is located once every 5 years, we arrive at an ARO of 0.20. Based on these figures, the ALE for the company's network operations center would be $45,000.
We can see that there are two metrics that are most critical for quantitative analysis, the likelihood of an event occurring (which can be expressed as ARO), and the loss that could be caused by a threatening event (expressed as EF).
Theoretically, through quantitative analysis can be accurately graded security risk, but there is a premise that the data available for reference is accurate, but in fact, in the information system is becoming increasingly complex and variable today, the reliability of the data on which the quantitative analysis is based is very difficult to ensure, coupled with a lack of long-term statistical data, the computational process is very prone to error, which brings great difficulty in the refinement of the analysis. This has brought great difficulties, so the current information security risk analysis, the use of quantitative analysis or pure quantitative analysis method has been relatively small. The qualitative grading of risk management elements (value of assets, likelihood of threats, ease of exploitation of vulnerabilities, effectiveness of existing controls, etc.), e.g., "high," "medium," and "low," is done in three levels.
Qualitative analysis can be done in a variety of ways, including group discussions (such as Delphi method), checklists (Checklist), questionnaires (Questionnaire), interviews (Interview), surveys (Survey) and so on. Qualitative analysis is relatively easy to operate, but the results may be inaccurate due to the operator's experience and intuition bias.
Compared with quantitative analysis, the accuracy of qualitative analysis is slightly better but not precise enough, while quantitative analysis is the opposite; qualitative analysis does not have the burden of calculating as much as quantitative analysis, but it requires analysts to have a certain degree of experience and ability; quantitative analysis relies on a large number of statistical data, while qualitative analysis does not have this requirement; qualitative analysis is more subjective, while quantitative analysis is based on objective;
In addition, the results of the qualitative analysis are relatively easy to operate, but may also be inaccurate because of the operator's experience and intuition bias. p>In addition, the results of quantitative analysis are intuitive and easy to understand, while the results of qualitative analysis are difficult to interpret in a uniform manner. Organizations can choose either qualitative or quantitative analysis methods depending on the specific situation.